Symantec posted some performance numbers touting the improvement of SEP11 M3 over MR2 and even SAV 10.
The slides are posted here.
Archive for November 2008
SEP11 MR3 Performance Improvements
Secunia Personal Software Inspector out of beta
Secunia accounced via their blog that Secunia Personal Software Inspector 1.0 is available.
Secunia PSI is installed on over 750k computers and has been in beta for more than a year.
You should be using a product like this to alert you to vulnerable third party applications on your Windows computer.
Abrechnung
My Virus Alert folder is overflowing this morning with alerts.
One of the users got Joe-jobbed on a virus/spam run. It looks to be a German language attempt to get people to open a virus by making them think they have an unpaid bill.
One of the Subject lines is Abrechnung. Although since i”m seeing bounces the subject line is usually a delivery failure message.
Cox SMTP / SSL
Cox has enabled SMTP over SSL and apparently is now allowing authenticated SMTP email from outside the Cox network.
Instructions are here.
Its a simple matter of changing the outgoing server port to 465 and checking the use SSL box. Additionally you need to enable authentication for SMTP (same credentials as POP3). Even from the Cox network, you must use authentication to send on port 465.
I dont really use the Cox email accounts for much. I primarily use my personal domains or my gmail account. While I’m not interested in sending Cox email while off network, I do like keeping the first hop of the messages journey encrypted. It would be nice if they offered opportunistic SSL/TLS if in addition to offering customers the chance to use SSL/TLS.
I wonder if they plan to implement DKIM now that Cox has provided the opportunity for customers to send email though Cox servers even when they are off network.
Installshield Updates
The vulnerability scan has been reporting vulnerabilities in the Installshield Update Service. This update service is bundled by some third party products. The first several times I looked at how to patch this all I could find was documents saying to wait for the original application that bundled Installshield Updater to update. That obviously wasn’t acceptable. At that time I didn’t even know which application put this on the system.
The first vulnerability was Macrovision InstallShield Update Service Multiple Insecure Methods. CVE 2007-5660. The vulnerability here was in the ActiveX control of the update service (isusweb.dll). I deployed ActiveX kill bits as a preventative measure, but I kept looking for a patch.
Next there was a vulnerability in InstallShield Flexnet Connect ActiveX. CVE-2008-2470.
I was able to look at the computers reporting the vulnerability and I found in most cases a database.ini file that indicated the GUID of the software package to be updated by Flexnet Connect. It appeared to be Roxio CD/DVD burning software cerca 2006.
More searching revealed that Roxio has published a KB for this here with a link to a security update.
I tested out the update and it looks like with a /v”/qb” switch I can deploy this pretty easily.
AV-Comparatives Performance Test
AV-Comparatives has released a test report comparing antivirus performance during boot, file copy and file compression.
To access the report, go to av-comparatives.org, click on Comparatives, and scroll down to the Performance Test report.
I’m always disappointed that the tests focus on consumer products (although Sophos is included. I’m more interested in Symantec Endpoint Protection than Symantec Antivirus 2009. I care more about McAfee Total Protection Suite than McAfee Antivirus.
EFS and SEP11
Occasionally when I try to open EFS encrypted text files on my Windows XP PC, the files are not decrypted and appear to be corrupt. If I reboot, I’m able to access the files again. These occurrences began when I installed Symantec Endpoint Protection 11 MR2.
A review of the Symantec Forums and Knowledgebase isn’t particularly helpful. MR4 is rumored to be coming out in December, maybe that will help. Fortunately the problem is rare. I haven’t had a user reported yet, though I’ve seen this a couple of times myself.
SEP11 and CPU usage on Virtual Machines
Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I’ve been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.
I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn’t agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.
People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don’t believe in tamper protection. Proactive Threat Protection shouldn’t be installed on servers either. I did turn off location awareness which I wasn’t using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.
Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.
Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I’ve gathered logs for them, but there hasn’t been a resolution yet.
Adobe Air Bundles Vulnerable Flash
Secunia Personal Software Inspector reported a vulnerable version of Adobe Flash on my home computer.
It detected C:\Program Files\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll as version 9.0.124. Security bulletin APSB08-20 reports this is a vulnerable version.
I installed Adobe Reader 9 last week. I guess I forgot to get the AIR free version from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu/AdbeRdr90_en_US_Std.exe. AIR it seems has an old version of Flash, I’m not quite sure how to upgrade that. Since I didn’t want AIR in the first place I’m uninstalling it.
update 11/17/2008
Adobe has now updated AIR
