Have you ever been handed a wrapped present and told you couldn’t open it until Christmas? That’s how I felt waiting for the movie Serenity. After waiting a year for this movie, movie executives pushed it back further to September 30 to avoid going head to head with Star Wars and Hitchhikers Guide to the Galaxy. More waiting. During the waiting, I was teased by several preview showings in DC, but word of these showings always spread slower than the ticket sales. So again I was forced to wait.
Today was finally the day that I was able to see the movie I’ve waited so long for. And it was worth it. The movie serenity is based on characters from a short-lived Fox TV series Firefly. During the series, I grew to love these characters. After watching the movie, I would say that it is accessible to those who have not seen the series as well. Great flick. Go see it. Then go see it again. 
Archive for September 2005
Serenity Now
I.T. Without Compromise
I just watched a Network World webcast titled IT without Compromise
The webcast addressed some of the things I”ve been thinking about recently. As security complexity increases, as we try to do more on the wire, the cost of piecemeal security solutions goes up. It costs money to protect smtp, http, and IM. And these perimeter solutions dont protect the mobile workforce.
What is needed is an asset oriented solution instead of a threat oriented solution. Rather than buying into protecting against the threat that the trade mags are warning about, you need to look at what needs to be protected. Where are your business assets? Then you can look at what threats there are against those assets and what you have in place to protect those assets. What will happen if those assets are hit. That is a business impact analysis. It is an ongoing thing, because your assets change, threats change, and best practices change.
Security needs to be more holistic. Instead of selling fear, security is the great business enabler. And that is how it needs to be approached. Instead of being centered around threads and technology security needs to be asset and business centered.
SAV Defwatch Scan
I was wondering why Symantec Antivirus Corporate Edition version 10 was showing 400 files scanned during a defwatch scan. This isn’t the scheduled scan. In the past, a defwatch scan is a scan of the files in quarantine and the scan has not shown up in the Scan History.
I found a KB article That explains this:
After you update virus definitions, a Defwatch scan runs. In the Scan Histories view, the “Total files” column the Defwatch scan entry shows a number of files that is more than the number of files in quarantine.
Solution:
This behavior is expected. In Symantec AntiVirus Corporate Edition 9.x or earlier, a Defwatch scan only scans the files that are in quarantine. In Symantec AntiVirus 10.x, the Defwatch scan also runs a Quick Scan. The Quick Scan scans any program files that are loaded into memory and common virus and security risk loading points.
Another nice improvement in SAV 10.
Its all about the password
I hear on the the DVD for the first season of the U.S. version of the office there is a password scene in the deleted cuts.
edit – I just found the scene on the nbc website.
Dwight – good.. excellent. and file sharing off and done…Security software, 128 bit encryption, firewalls. Get up I’ll install it on your computer
Jim – No thanks
Dwight – Stupid. Identity theft happens all the time. I could become you, like that. But no one can become me.
Jim – no one wants to be you Dwight
Dwight – not true. and if they did, they couldn’t, becausee I’m password protected
Jim – “Is your password ‘Frodo’”?
Dwight – “No…” (he starts typing really fast on his computer)
Another short pause…
Jim – “Did you just change your password to ‘Gollum’”?
Dwight – No
(more typing…)
More on mc21.tmp and mc22.tmp
A lot of people are coming to this site looking for help for Symantec Antivirus Backdoor.Graybird detections on mc21.tmp or mc22.tmp. My post on my experience last Friday has been picked up by Google. Unfortunately they are linking to my main page instead of the article itself and that post is about to fall off the front page. (To be fair, blogsearch.google.com does have the correct link).
I have continued to see a few new detections of this at work. I need to check if those systems are up-to-date on their virus definitions. If they do have defs where this false positive is supposedly fixed, then there is still an issue.
By popular demand, I’m posting the email Symantec sent out last week. It is my belief that this information is considered public and not under any NDA. In other words Symantec please do not sue.
—–Original Message—–
> From: symalert@symantec.com [mailto:symalert@symantec.com]
> Sent: Friday, September 16, 2005 4:49 PM
> To: Me
> Subject: Unscheduled LiveUpdate definitions to be published in response to a FP
>
>
>
> Symantec Security Response will post LiveUpdate virus definitions today, September 16, 2005.
>
> This posting is to correct a false positive with Backdoor.Graybird detections.
>
> An additional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.
>
>
> ———-
> For additional information, visit our website at
> http://securityresponse.symantec.com
We’ll hear about this again, I think
Earthlink won a lawsuit brought by a bank incorrectly identified as a suspicious site by Earthlink’s anti-phishing filter.
US District Judge John Shabaz last week ruled that Earthlink was not liable for using data from a third party because of provisions in the 1996 Telecommunications Act. “Because the evidence indicates the information came from another provider, defendant cannot be held liable for the republication of the statements,” he wrote.
With Microsoft entering adding an anti-phishing toolbar in IE7, I suspect we’ll see similar lawsuits against them.
Symantec Daily Liveupdate
Back in February, I wrote that Symantec Platinum customers were going to be getting access to a “Liveupdate Plus” server which would offer daily liveupdates.
Earlier this week Symantec announced that Liveupdate will now update on a daily basis on the “normal” liveupdate servers beginning September 24th. The catch is that this daily updates will be for SAV 10 clients only. I see this as good news that can only help mobile corporate clients that may not be able to get the VDTM update on a frequent basis.
I want to push SAV 10 out so I can take advantage of this. But its worth nothing that there are still advantages to VDTM in that you can set the client checkin frequency to more often than daily and also the updates are smaller.
Updating more often. When what you are doing isn’t working, doing it faster probably isn’t going to help. If faster virus defs are the solution, Symantec still has a ways to go. F-Secure had a record 11 updates one day this week. What ever happened to the Digital Immune System Symantec promised. Soon the virus defs will come so often, we’ll just have a continuous update. An IV of virus definition files.
Common Malware Initiative
The long talked about Common Malware Enumeration initiative is set to get off the ground next month. It will be run by the Mitre Corporation (who also currently runs the CVE database). The purpose of this database is to make it easier for the media to hype up virus incidents and help buttruss the stock of antivirus companies.
While I am all for a more understandable virus incident report at the end of the month, does this really improve security? Personally, I just want the viruses stopped. I don’t care what you call it. Perhaps that is the innovation antivirus companies should be focusing on.
edit – posting this from firefox. apparently the version I’m running doesn’t have a spellchecker like Internet Explorer. I need to upgrade my Firefox. Its really vulnerable. I hear the later versions of Firefox should have a spell checker in it. So pardon the misspellings. I’ll try to get back later and run a spell check.
AOL bundles CA Spysweeper
Back in August I wrote about a purchase of Aluria by Earthlink. I speculated that might end the relationship with AOL.
Well, the shoe has finally dropped. AOL has announced that AOL Spyware Protection 2.0 will be using Computer Associates Spysweeper product. And AOL just couldn’t resist some potshots at Aluria suggesting they couldn’t be trusted to categorize spyware, the dont have a large antispyware database, they dont update often enough, they dont offer realtime protection and their scans take forever. Funny AOL wasn’t singing that tune when they went with Aluria, previously unheard of company from Maitland Florida.
I’ve only evaluated the enterprise version of the Spysweeper product. It was ok back in June 2004, but now it is not performing well on recent bakeoffs.
