The Microsoft Anti-Malware Engineering Team reports on their blog that they will be participating in virustotal.
For those that don’t know, virustotal.com is a way cool website where you can scan a suspicious file against around 10 vendors. This might help you see what wacky name of the week one particular vendor is using for a virus. Also it might show you who doesn’t have detection available. That’s why a few AV vendors have declined to participate in virustotal. So I think its pretty cool that Microsoft is getting involved.
Archive for April 2006
Microsoft participation in virustotal
Testing HIPS
Occasionally, I just post things so I can find them again later. This is one of those things.
How do you test HIPS products?
“tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. ”
»slipfest.cr0.org/
Cansecwest slides:
»slipfest.cr0.org/jt-csw2006-slipfest.pdf
Tom Davis Predicts cyber Pearl Harbor
FCM reports that Congressman Tom Davis of Northern Virginia predicted a “cyber Pearl Harbor” in a future attack on the federal governement. He said that such an attack could cause deaths or financial breakdown.
“FISMA is still viewed by some federal agencies as a paperwork exercise” Davis said at a congressional hearing in March, when the committee released the grades. “But these are shortsighted observations.”
His goal in propping up FISMA is laudable. Computer security in the Federal government is lacking. However, Tom should really think twice about patterning his public speach after Richard Clarke and Chuch Schumer. Is it leadership to say these things? Or is it just a quick way to get public attention?
I just cant escape Redmond Mag
I’ve commented before that I think Redmond Magazine is too anti-Microsoft for my tastes. Perhaps I’m just bitter over the demise of MCP Magazine. Or perhaps I drink the Microsoft koolaide daily. So I’ve ignored the renewal notices from Redmond Mag. When they have called me at the office to do the renewal over the phone, I’ve declined and said “please let my subscription expire.”
These people don’t get the message.
They called for the third time today. I decided that perhaps its would be easier to verify my info and continue to receive the magazine. The young woman sounded like she spoke english as a U.S. citizen would, but she didn’t know what “VA” meant as a state abbreviation. She could not pronounce “Orchard” which is all too common. She asked me what day I was born and then offered 1-30 as possible examples. It was a serious butchering of my name and all of my contact information. What was really odd was asking me to spell things that had to have been on the sheet in front of her.
It was very odd. I just cant’ escape Redmond Magazine.
Update: Kaspersky False Positive
I’m seeing some Word documents being detected by the Kaspersky scan engine as Trojan-Dropper.MSWord.Lafool.g. I dont see a writeup of that on the Kaspersky site. The latest lafool varient currently written up is “f”. None of the varients actually have much if any information in the writeup. Looks like I need to figure out how to submit this to support.
update: I checked the Kaspersky forums and found other people noting the same problem.
To report things like this to Kasperky, send the files in an password protected archive to “newvirus at kaspersky dot com” an write in the subject “possible false positives”.
I found that they already had new virus definitions available the rectified the problem. I’ve downloaded them and tested the result.
Symantec Scan Engine Bugs
I hate it when I see something, and my reaction is :meh: so I dont blog about it, but then a day later it gets blogged by others. I see the ISC has picked up the news that the Symantec Scan Engine has a couple of vulnerabilities. This has nothing to do with the corporate or consumer product that you use on your desktop. Rather is a server that you might use with the ICAP protocol to scan traffic, such as HTTP.
Symantec’s writeup is here. Rapid7 discovered these vulnerabilities and has a writeup on their site as well.
Vundo Trojan embeds in Security Software
http://notafanboy.blogspot.com/2006/04/kevins-discovery-of-latest-vundo-crap.html
Not sure what to make of this.
George Ou on Firefox Media Bias
This week we had an object lesson in tech media bias. When Firefox has a boatload of security patches they are making their browser more secure than ever in a special new release. When Microsoft releases a boatload of patches for Internet Explorer its a security disaster for a troubled product.
Check out Georg Ou’s comments over at ZDnet.
http://blogs.zdnet.com/Ou/?p=192
Infoexpress Cyberarmor woes
We’ve been having some trouble with Infoexpress Cyberarmor. It started last December when against my better judgment, I deployed a “fix” for Cyberarmor that was supposed to resolve a bad interaction with PGP on Windows XP that would cause every application to crash.
For a while all seemed fine. But slowly I began to receive reports of systems without the PGP fix having application errors. Soon, I experienced the problem on my own computer, a dual core Dell GX620 tower. I’ve had this sort of experience before where the problem can be traced to a conflicting application. So working with support, I spent three solid days uninstalling application after application. The problem continued to occur. Every single application crashed. I tried disabling Windows Data Execution Prevention. Nothing worked.
I took the same computer and loaded our leasing companies ghost image (we dont normally use this). It had no problems. I followed our ghost load creation checklist and installed everything (including drivers) that would normally go on a computer. It didn’t have a problem. Next I restored our original ghost image that does have the problem and used msconfig to prevent everything from loading. It still had the problem. I was at the end of my rope. I found that if I went into pcarm.ini and disabled the PGP fix that everything worked fine.
I would really like to find out specifically what application is conflicting, but I’ve ready spent a lot of time on this. I think I’m going to disable the PGP fix since only 5 users actually have PGP installed.
It takes too long to patch
In a recent email from Kaspersky, the newsletter writer said, it takes too long to patch.
The study shows that 19% of companies take more than a week to patch vulnerabilities, while 27% take at least two days. Overall, nearly half of those questioned claimed their computer systems were never completely protected. Interestingly, there were considerable variation in response speed between countries. France was the slowest with 66% taking at least two days to patch, while only 22% percent took that long in Spain.
I don’t know about anyone else, but I’d throw a freakin party if I got my company patched in two days. Try two months. Even then we’re talking about Microsoft Operating System only. Not the frequent patches for both supported and unsupported applications; Winamp, Flash, Firefox, JAVA, Real Player, Adobe, Winzip and Office.
Upset about not getting patched routinely within two days of the patch being released? I cant even imagine.
