I called support yesterday to check in on any possible interactions between Symantec Antivirus Corporate Edition version 10 and Webroot Spysweeper Enterprise. SAV 10 now has realtime spyware protections and I wanted to see if there would be any issues. Symantec warns about using the antispyware parts with other realtime antispyware programs. Support says there should be no issues. Just make sure you dont have the install block turned on when you try to upgrade (duh). Also they say I might want to have SAV exclude the webroot directories for performance reasons.
I also asked them when Webroot 2.5 will be available for existing customers. The support tech reports that will be available after Labor day. So I can push Webroot down my list of things to do until next week.
Archive for August 2005
Webroot 2.5 update part 2
Microsoft Phishing Filter Update
The IE Blog has a post today addressing some of the concerns about the IE phishing filter. I was looking for my previous entry to link back to, but I dont see it.
There is also a whitepaper over at MSDN with some tips for site owners. Interesting that they advice people to prevent cross site scripting.
I’m a little nervous
Brian Tucker’s last post to his blog was that he was about to deploy roughly 8000 clients with ITMU.
What happened with his install that we have not heard from him since 
!
Passwords and Careless Users
A story from Network Security: Private Communication in a Public World by Kaufman, Perlman and Speciner.
At a lecture on computer security, a professor asked, “Are there any advantages of passwords over biometric devices?” A helpful student replied “When you want to let someone use your account, with a password you just give it to them, while with a biometric device you have to go with them until they are logged in.” This is the sort of remark that sends chills down the back of security administrators and makes them think of their users ad adversaries rather than the customers they are trying to protect.
Security people need to remember that most people regard security as a nuisance rather than as needed protection, and left to their own devices they often carelessly give up the security that someone worked so hard to provide. The solution is to educate users on the importance of security, helping them to understand the reasons for the procedures they are asked to follow and making those procedures sufficiently tolerable that they don’t develop contempt for the process.
McAfee to resell Postini service
http://news.com.com/McAfee+to+sell+Postini+e-mail+security+service/2110-7355_3-5844325.html?part=rss&tag=5844325&subj=news
I’d be interested in seeing who owns what percentage of the outsourced email security $$$. McAfee reselling Postini is validation of outsourced email scanning.
WMI and Patch Management
It seems like the new patch management platform used by the ITMU stores the patch information in WMI. This certainly speeds up the scanning for necessary updates, but I cant help but wonder if this will lead to security problems down the road.
When the Windows Security Center came out in XP, it was quickly discovered that you could spoof antivirus and the firewall by changing the information stored in WMI. Microsoft responded that WMI is protected by an ACL so that only the local Administrator can modify it, and further if an attacker has local administrator rights, then you have bigger problems than WMI. I say why help the attacker remain undiscovered and unfettered.
Does the local administrator need to be able to change those settings? Is there a way to do this so that only the scan tool can update WMI. I just fear a worm that disables the antivirus and the personal firewall, and spoofs WMI so the user thinks they are protected. Not only that, the patch info could be spoofed so not only does the user think they are patched, but Windows Update and SMS agree. Will Windows Update still check the registry entry and the file versions? It sounds like ITMU trusts completely in WMI.
My officemate pointed out that its even worse than this. Software will have vulnerabilities. What happens when someone is able to hack WMI to modify this info without local administrator rights?
rechnung.pdf.exe
I’m seeing some files named rechnung.pdf.exe detected as Troj/Downloader.gen!5564. Its probably the typical spammed virus often occurs on weekends.
SPIM Prevention
SPIM (Spam over IM) Prevention techniques from the IMLogic threat center: Set your client to not accept messages from people not on your buddy list.
IM Client How to stop messages from anonymous users
AOL IM (v5.9.3690) Sign in
Click “My AIM” > “Edit Options” > “Edit Preferences”
Click “Privacy” in the left-hand column
Click “Allow only users on my Buddy List” under the “Who can contact me” heading
ICQ Lite (v4.1) Sign in
Click “Main” > “Preferences and Security”
Click “Spam Control” in the left-hand column
Check “Accept messages only from users on my Contact List”
Ensure both options under “Not in List Messages” are checked
Check “Do not accept World Wide Pager Messages”
Check “Do not accept Email Express Messages”
ICQ Pro (v2003b) Sign in
Click “Main” > “Security and Privacy Permissions”
Click “Communication Events”
Select the yellow check mark for each line item (be sure to scroll)
MSN Messenger (6.2.0137) Sign in
Click “Tools” > “Options”
Click on Privacy Tab
Check “Only people on my Allow List can see my status and send me messages”
Ensure the “Alert me when other people add me to their contact lists” is checked
Windows Messenger (v4.7.3000) Sign in
Click “Tools” > “Options”
Click on Privacy Tab
Ensure the “Alert me when other people add me to their contact lists” is checked
Yahoo! Messenger (v6.0.0.750) Sign in
Click “Messenger” > “Preferences”
Click “Ignore List” in the left-hand column
Click “Ignore anyone who is not on my Messenger List.”
