Recently in Antivirus Category

AVComparatives has posted a review of corporate products at http://www.av-comparatives.org/comparativesreviews/corporate-reviews. This test includes AVIRA, ESET, GDATA, Kaspersky, Sophos, Symantec and Trustport. No mention of McAfee or Trend Micro who I believe would both be in the top three deployed corporate endpoint protection solutions.

The report includes a detailed table comparing the available features of the products. It does not focus on detection rates for the most part. It does report on SPAM detection rates. Personally I think SPAM filtering belongs at the enterprise gateway not at the desktop.

As a Symantec Endpoint Protection admin, I loved one of the conclusions of the report, "The Symantec suite is, by far, the most mature and professional product tested by us."

Symantec has released SEP 11 MR4 MP2.

Release notes here.

Instructions on migrating are here.

The incremental update files to update clients aren't posted to the downloads section of the support KB as of this posting. However, I did find them over on the ftp site.. I didn't see an update file to get from MR2 MP1 to MP4 MP2, so I had to update to MR4 then update again.

There is a fix in this version for a case I've had open for over five months. SMC.exe CPU utilization when no one is logged in, particularly on virtual servers.

This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.

Seems to be a false positive.

Virustotal shows the following:

UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan's entry in the comments.

My problem was compounded a bit becasue the BlueCoat cached the "infected" status, so I needed to clear the cache of that, before csshover.htc could be served.

Since upgrading from SEP11 MR2 to MR4, my virus alert email to admins no longer works.

As a side note, SEP11 has never allowed me to include the path and file name in the virus notifications. They did allow that in SAV10 and earlier. This is a big step back.

Before the upgrade, the email was sent as system@servername. I believe my mailserver was helpfully making the servername fully qualified. The mail had no issues.

Since upgrading, the notifications are no longer getting through. According to the Symantec Knowledgebase, they did this on purpose.

As of SEP 11.0 Maintenance Release 3 (MR 3), a ".com" suffix has been addred (sic) to the "From:" address used by SEPM (SYSTEM@computer_name.com) which should help reduce rejections by the mail server.

Help reduce rejections? Help reduce rejections! How does sending mail as system@servername.com help? That is guaranteed to be rejected by anyone who verifies the sender is a valid domain name.

I've opened a case with support asking for them to fix this.

Symantec does not allow you to configure your own sender address in SEP11. They suggest you lower the security posture of your mail server by accepting email regardless of how invalid the From address is. Validating the envelope from domain is a common, easy antispam technique. I dont want to change it.

Looks like I need to add %Server_Name%.com to my internal DNS as a temporary workaround.

Another "improvement" in MR4.

UPDATE 2/17/09
See the comments, there is a way to do this afterall. I've asked Symantec to update the KB I referenced.

I upgraded my production Symantec Endpoint Protection 11 environment from Maintenance Release 2 to Maintenance Release (MR) 4. SEP 11 MR4 MP1 has been announced but it wasn't available on Fileconnect yet. I also didn't want to postpone my upgrade and install MR4 MP1 in the test environment.

My upgrade to MR4 was smooth in the test environment. Or course the production upgrade was less than smooth.

I stopped the SEPM service as directed in the upgrade instructions, but the micro def builder processes continued. This locked files, and the upgrade didn't handle that condition correctly (force retry or replace files on reboot). The SEPM console couldn't open after the upgrade and the recommended fix is to Repair the install in Add/Remove Programs.

After Repairing the install, I was able to log in successfully to SEPM but my clients were no longer checking in.

After fiddling around a bit, we found that the port used by clients had been changed. If you do an upgrade it keeps the port on 80. But the Repair caused the port to be changed to something else. So all my existing clients were trying to connect on a port that was no longer being listed to.

Symantec has a knowledgebase article on changing the port, so I followed those instructions to change the listening port back to 80.

So a couple things to watch out for
1) kill the def builder processes when performing a upgrade.
2) the Repair option is potentially a problem
3) if after an upgrade your client check in, go into IIS and see what port you're listening on. If its the wrong port, check the Symantec KB for exact instructions on fixing.

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I'm not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.

Opening Remarks
by Bruce Potter

People are getting owned a lot.
Trends

• Increased success in getting past our defenses


• Increasingly malicious motivations. The bad guys aren't after web defacements


• In spite of the above, we haven't changed our methods. Its a lot of the same


• Spear phishing and drive-bys are unabated.

What we have is a Maginot line...in depth

Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren't just the risky underbelly of the web. It was every category of website. I don't think that is surprising to anyone who has paid attention to security.

These findings were published last year in in USENIX.

The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.

So What do you do?
NAC? Most people don't have that deployed even if they've bought it.
Firewall Internally?
Token authentication?
Change jobs?

Digging ourselves out
As with most security talks and papers I felt like a solution wasn't really there. Fixing fundamental problems. I'm not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn't always have notes.

Open Vulture - Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O'Toole and Matt David

I didn't take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.

Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you'll have problems with PVC tubing not being rated for the PSI.

The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.

The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.

Under U.S. law they felt they could not send out a "uninstall" command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.

No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.

Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.

Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.

I found the talk interesting. When you're doing manual static analysis of files, this could come in handy.

Decoding the Smartkey
by Shane Lawson

Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.

Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

SEP11 MR4 release notes have been posted here.

I suspect this is now available on the platinum site. I've been told by our sales guy that we should have access to that, but all I can ever get to is fileconnect. Rumor is January 6th for Fileconnect. I'm more interested in the msp update files than the full CD for a full SEPM install. I dont see those on the KB or via FTP right now.

Here's one fix that I'm waiting for.

Wireless connections at 104Mb/second do not register with Location Awareness as Wireless connections.
Fix ID: 1441489
Symptom: Auto Location Awareness does not work when using 104Mbps wireless network.
Solution: Added 130Mbps/117Mbps to the list that detects when the wireless speed is not stable.

I think I have more issues with smc.exe than rtvscan.exe. However every lowered amount of CPU helps.
Constant 5% Rtvscan CPU usage.
Fix ID: 1389006
Symptom: Constant 5% Rtvscan CPU usage seen from Process Explorer or Task Manager.
Solution: Changed to cache the state of Auto-Protect ,thus reducing excessive calls which gather state information. The state is now updated once on startup, on change notification from Auto-Protect, and occasionally on the main timer, eliminating this issue.

There is a local denial of service vulnerability in the SPBBCDRV.SYS Device Driver.

http://securityresponse.symantec.com/avcenter/security/Content/2008.12.12.html

Symantec Endpoint Protection is not effected.

Symantec posted some performance numbers touting the improvement of SEP11 M3 over MR2 and even SAV 10.

The slides are posted here.

I rescued an old comment from Akismet (the spam filter I'm using on the blog) because it asked a interesting question. How can Symantec's acquisition of MessageLabs improve their desktop antivirus.

My first reaction to this is that MessageLabs Antivirus can't be duplicated at the desktop. They use multiple antivirus engines in addition to their own Skeptic engine - a collection of heuristic detections. Multiple scan engines work on gateway servers, and Microsoft Antigen/Forefront/whatever uses multiple engines on Sharepoint. But at the desktop performance is needed. Also don't quote me on this, but I thought I'd read that the Skeptic database has a huge ruleset. That also doesn't lend itself well to desktop performance.

Multiple antivirus vendors are now looking at implementing antivirus in the cloud. In this model, new/unknown files are sent to the cloud for analysis. Skeptic would fit in well in Symantec's implementation of that model.

My Virus Alert folder is overflowing this morning with alerts.

One of the users got Joe-jobbed on a virus/spam run. It looks to be a German language attempt to get people to open a virus by making them think they have an unpaid bill.

One of the Subject lines is Abrechnung. Although since i"m seeing bounces the subject line is usually a delivery failure message.

AV-Comparatives has released a test report comparing antivirus performance during boot, file copy and file compression.

To access the report, go to av-comparatives.org, click on Comparatives, and scroll down to the Performance Test report.

I'm always disappointed that the tests focus on consumer products (although Sophos is included. I'm more interested in Symantec Endpoint Protection than Symantec Antivirus 2009. I care more about McAfee Total Protection Suite than McAfee Antivirus.

Occasionally when I try to open EFS encrypted text files on my Windows XP PC, the files are not decrypted and appear to be corrupt. If I reboot, I'm able to access the files again. These occurrences began when I installed Symantec Endpoint Protection 11 MR2.

A review of the Symantec Forums and Knowledgebase isn't particularly helpful. MR4 is rumored to be coming out in December, maybe that will help. Fortunately the problem is rare. I haven't had a user reported yet, though I've seen this a couple of times myself.

Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I've been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.

I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn't agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.

People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don't believe in tamper protection. Proactive Threat Protection shouldn't be installed on servers either. I did turn off location awareness which I wasn't using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.

Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.

Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I've gathered logs for them, but there hasn't been a resolution yet.

Symantec Virus Definitions
- --------------------------
LiveUpdate Plus: 11/03/08 v.025
LiveUpdate Daily: 11/03/08 v.025
LiveUpdate Weekly: 11/05/08
Intelligent Updater: 11/03/08 v.021

Summary
- -------
W32.Kernelbot.A is a worm that spreads by exploiting the MS08-067 vulnerability
and through file sharing networks. It may also download files on to the compromised computer.

References
- ----------
Sophos W32.Kernelbot.A
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99

Symantec Internet Security 2009 detected nearly 10 times the exploits when compared to other security suites in a recent Secunia test.

Full results here.

Secunia's related blog post.

I can't wait for the vendors and bloggers to kick up a dust storm about why Secunia's methodology, assumptions and testing are wrong. This being the Internet that should be starting shortly. :)

At least Secunia can't be attacked as easily as Consumer Reports.

The later point is that even the best detected less than 25%. So stay patched, and dont get socially engineered into manually installing the malware.

Symantec buys MessageLabs the leader in email security. Press release is here.

I was just talking to my old sales rep last week about ML on the market. It seemed to me that MessageLabs sold its ISP Star to make it easier to sell itself.

There is some good things here. Both Symantec and MessageLabs seem to have top notch anti-virus groups. I hope they dont feel they can eliminate redundancy.

I am concerned based on my past experience when Symantec bought IM Logic. Support immediately dropped from the excellent level that IM Logic maintained to the hit or miss quality of Symantec. I also felt that development slowed significantly for a time.

When Microsoft bought Sybari they added their own antivirus engine and eventually dropped some of the available engines in Antigen(I think I'm remembering that right). I'm not actually sure who MessageLabs is using right now, but I'm sure Symantec AV (crappy as it is) will be in the mix shortly. MessageLabs support has told me in the past which antivirus engines they use in email but they don't advertise it because they want to be able to make changes to have the most effective defenses.

Here is hoping that the changes will be positive. For the past 5 plus years that I've used MessageLabs nothing beats them for email security.

Symantec released a SyKnApps update last week for Symantec Endpoint Protection 11. The update notice I received didn't say much, just that "The new revision of
SyKnApps improves the performance and overall functionality of TruScan." The email also said the update was available through liveupdate.

I had been wondering if the update would reach SEP clients who get their updates from a corporate SEPM server. By comparing file versions, I found that it appeared my internal clients did get c:\documents and settings\all users\application data\symantec\syknapps\syknapps.dll updated.

A Symantec KnowledgeBase article confirms this belief. It specifically says running liveupdate on SEPM will update the clients. It also confirms that this update fixes the cosmetic bug where the SEP client GUI displays the Proactive Threat definitions as July 30th.

According to a Symantec Knowledge Base article and complaining posters in the Symantec Forums, Symantec Endpoint Protection (SEP) 11 does not work with Google Chrome when the Application and Device portion of SEP is installed.

One workaround is to disable Chrome sandboxing. I'd tend to recommend that over disabling Application and Device Control in SEP. If any of my users were found to be disabling portions of SEP, they would be in violation of company policy regarding circumventing security software.

I used to have problems like this with our old personal firewall. To control what applications can run, the process has to be wrapped up. Some applications dont like that and crash. In the old personal firewall it was as simple as editing a "ignore" line into the configuration file. In SEP, I get the feeling we have to wait for a maintenance patch.

Websense blogged about this a couple days ago and I just saw it in our email today.

Here's the info on the messages that our email scanner stopped heuristically.

Subject: Fedex Tracking N_
File WD6128922.exe

Late last week I began noticing an error in the Application event logs on some of my SEP11 systems

Event ID 13: "LiveUpdate returned a non-critical error. Available content updates may have failed to install."

Over at Symantec Forums people report receiving a couple different answers from tech support. Looks like the definitive answer is:

The Event ID 13 error is due to a defective patch that went out via LU on August 4, 2008. It was pulled from LU on the 7th, but machines that already downloaded the patch will display these symptoms.

Besides cluttering logs, these errors are not detrimental to system performance or security.

When the new patch to replace the defective one goes out sometime next week, the errors will stop happening.

I'm assuming the fix they are referring to is the Symantec Eraser update scheduled for Monday.

Symantec expects to post its quarterly update to the Eraser engine in the certified definitions of Monday, August 11th, US Pacific Time. This release includes internal enhancements and does not address any specific customer issues seen in the field. Eraser file versions will be 2008-2.0.125. This update will cause the size of the xdb file to temporarily increase.

From a thread at the Symantec Forums, it looks like Symantec has left out a critical component of admin virus alerts.

I like to receive emailed virus alerts when clients computers detect a virus. Waiting for me to open SEPM and look in the console or waiting for the user to mention it is not an option. While SEP11 has email virus alerts functionality, it cannot be customized. Their email is not as useful as it should be because it does not include the file path or filename.

If anyone knows of a way to do this let me know.

Symantec has reported a false positive:

The second set of July 23, 2008 LiveUpdate posting will correct a false
positive detection on DWRCS.EXE from DameWare Development LLC. The Affected
file is incorrectly detected as Infostealer.Gampass. This FP was first
introduced in RapidRelease definitions build number 83841 (version
07/22/2008 revision 53) and in the 07/23/2008 revision 9 LiveUpdate and
Intelligent Updater definitions. It was corrected in RapidRelease
definitions build number 83882 (version 07/23/2008 revision 37).

Symantec Endpoint Protection Manager Console (SEP11) allows authentication through local accounts, Active Directory and SecurID. SecurID is a two factor authentication system which combines a user known PIN and a token generated 6 digit code for authentication. The token is generated every 60 seconds.

Because the SecurID passcode is always changing imagine my surprise when I attempted to log into SEPM and I received an error that my password has expired. After checking the KB and the Symantec forums and not finding an answer, I opened a case with support. Support tells me that this is a known issue that should be fixed in a future maintenance release.

For now I'm either going to have to configure AD authentication for people requiring access to the SEPM console (such as admins and helpdesk). If I continue with SecurID accounts I'll have to recreate their accounts every 90 days.

I think its a really good idea to use AD or SecurID for authentication so that each administrator doesn't end up with 50 accounts with bad passwords that are never changed. It would be preferable however if the authentiction actually worked correctly.

No conclusions can be drawn from this single instance comparison. I called both Sophos and Symantec tech support to ask them a simple question. Are there any known interoperability issues between your product (SEP11, and Sophos AV/AF) and PGP. We have seen conflicts in the past between some personal firewall clients and PGP and we'd like to know of any issues.

First I checked the knowledge base articles for each vendor. A search for 'PGP' returned nothing on each website.

Next a call to Sophos. I got the phone number off their public website. This was not a support line for evaluation customers. I called, went through the phone menu and was talking to tech support after maybe a minute of hold time. He knew there was a potential issue and read me a KB article from their internal system. There is an issue when PGP is installed after Sophos. Couldn't expect much more, although I dont see why that article wasn't in the Public KB.

Next a call to Symantec. It took 3 minutes to get to the call pre-screener. This person couldn't find my contact information...asking me if I've called before. Yeah for the past 8 years. 9 minutes into the call I finally escape the pre-screen and get into the real phone queue. The recording says the customer waiting the longest has been on hold for 7 minutes. That is incredible. I was expecting to be on hold for 2 hours, since I called in the afternoon. In about 5 more minutes, I talked to the tech who was not aware of any PGP issues. I pointed out that PGP interoperability problems would occur most when managing what applications can run, which is off by default. He checked with other people and no one was aware of any issues.

This difference in support on this one call as not as great as I expected. I could live with either one. I just need to get my Symantec account straightened out so I don't have to fight with the prescreener so much.

I'm seeing some new virus detections on the SMTP layer.

Filename : vertrag.exe (vertrag is contract in German)
Detected as: New Malware.co

Subjects: Mietvertrag (Mietvertrag is German for lease according to babelfish.)
Abbuchungsvertrag (Deduction contract in German)
Tilgungsvertrag (Repayment contract in German)

As I've posted previously, currently I'm doing an eval with Sophos to potentially replace our Symantec Antivirus with Sophos Antivirus, HIPs and Firewall. Sophos provides support for a wide variety of Operating Systems.

I haven't crossed that bridge yet, I did talk to my pre-sales support (hi Chris) about the issues with 1) convincing Linux, Solaris and Mac users to follow the company policy and install antivirus and 2) the new burden with these people now thinking you provide support for anything that goes wrong with their system because it must be the AVs fault.

Mark Harris Director of SophosLabs has written a blog entry covering some of the same type of information. He announces Sophos Anti-Virus for UNIX 7.0 beta and explains why Antivirus for Unix is even necessary.

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating "sales lead" to themselves). Currently we're using Symantec Antivirus 10. I'm looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I've been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I've also considered McAfee Total Protection because it has the McAfee HIPS technology.

Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.

When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.

1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.

Sophos' answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.

This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn't allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.

2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I'll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).

I haven't run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.

I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.

3. The Sophos install creates a local administrator account. Now I'm sure it has a very strong password, but I'm just not comfortable with my software creating a local admin account. Symantec didn't do that. McAfee didn't do that.

I've been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn't matter if the rest of the eval is perfect, if Sophos can't answer to my satisfaction why they are doing things this way and why it isn't a problem, I can't do with this product.

Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.

My sales engineer is out most of next week. I'm out Monday. I'll post a followup when I get some answers back.

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.

The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.

The malware we received doesn't seem to be the same file the ISC is reporting.

This morning MessageLabs blocked a suspicious message to a recipient in our finance department.

Subject: Re:tax contract for , INC
The message contained a Word document attachment named incomplete_contract.doc. The word doc contained a embedded exe named MicrosoftWordhasencounteredanerrorandneedstoclose.Pleasedoubleclicktheicontoreloadmsword.exe

These are probably the same people who tried last week with subject lines "Re : Tax Refund for %firstname% %lastname% with a scr attachment.

Going through my email I see a similar detection back in February Complaint Filled against , (Case id: #3DB0A4) again with a scr attachment.

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.

Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.

This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.

It looks like I may have to move up my implementation of Adobe Reader 8.2.1

Brian Krebs' writeup on this reports that according to iDefense this was spreading through banner ads. http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

Perhaps the following explains the trouble I had with SEP11 and Vista.
From a email sent to platinum customers:

Update: Eraser Engine update - 01/18/07

Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:

naveng32.dll: 71.4.0.23
ccEraser.dll: 107.4.1.2

I wrote last week how my Vista tablet cratered shortly after I installed Symantec Endpoint Protection 11. I've rebuilt that computer, and decided not to do any more testing with SEP for a while. If I didn't have Symantec coming in sometime soon for a NAC demo I'd be evaling McAfee Total Protection Enterprise.

Today I came in after a few days off and found that my desktop is out of hard drive space. After looking around I found 18.6 GB of files in c:\program files\common files\Symantec shared\. Most of these files were in directories named *.tmp. Now I know this sort of thing happened in previous version of Symantec as well, but it hadn't happened to me. and it hadn't happened within weeks of installation.

http://www.us-cert.gov/current/index.html#microsoft_access_database_file_attachment

US-CERT is aware of a stack buffer overflow vulnerability in the way that Microsoft Access handles specially crafted database files. Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.

US-CERT is aware of active exploitation using malicious Microsoft Access databases.

To help protect against this type of attack, US-CERT recommends the following:

Do not open attachments from unsolicited email messages
Block high-risk file attachments at email gateways

Ok, so the title is an inside joke.

On Monday I began having some issues on my Vista Tablet.

• The computer isn't able to obtain an IP address from the DHCP server


• An error: error 56 the cisco systems, inc vpn service has not been started


• Unable to uninstall SEP11


• Unable to perform a rollback to a previous snapshot


• Unable to open tcp/ip properties because supposedly another dialog was already open
  

I'm blaming Symantec Endpoint Protection 11. That was the last change to the system.

I noticed today that Liveupdate on my home computer wasn't working. The definitions were at November 21, 2007. When I attempted to run liveupdate manually I received an error " LU1825: LiveUpdate could not understand how to install this update. You may need to get the latest version of LiveUpdate before you can install this update."

I'd previously been following threads about this problem over at Broadband Reports and at the Symantec Forums.

I followed the advice here to either reboot or restart the Symantec Antivirus service. I restarted the SAV service and immediately liveupdate worked. I've had this problem on SAVCE 10.1.6 and 10.0.1, but I've seen postings from users of Symantec AV consumer products as well.

Information Security Mag has an article by Ed Skoudis and Matt Carpenter in which they do a bake off between several endpoint protection products.

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1280028_idx1,00.html
(not sure if non-subscribers can view that or not. Its free to sign up or try bugmenot).

This will make all the Symantec bashers angry, but it actually comes out rather well. Looks like it will be worth it to learn the new platform that is SEP and upgrade.

Points of interest to me

• ISS not doing so well. They dont have their own AV so the AV piece and the rest seem cobbled together


• Third Brigade not yet well integrated with Trend


• McAfee surprisingly not doing well. I would have expected McAfee HIPS (Entercept) to have crushed the malware tests. It seemed that only the buffer overflow protection was tested. Was HIPS not on by default? I'm pretty sure it is part of Total Protection Enterprise


• Symantec doing rather well.


• Sophos scanning on read only by default

The article writers feel that Endpoint Protection suites are still new and have some maturing to do.

Last week, I received an email from Trend Micro bashing Symantec Endpoint Protection 11. This seemed like kind of a desperate move. If Trend is truly a top tier AV company why do they need to take shots at Symantec?

There’s something you need to know about Symantec Endpoint Security. Going to version 11.0 requires at least one reboot, frequently two. If you are on version 9.0 or older, Symantec recommends a full rip and replace. Now that's a cumbersome migration!

I guess Trend feels that Symantec AV admins are rather frustrated with the product and they are trying to tap into that.

Here's a link to a Symantec Product Manager's take on the Trend email.

Symantec's blog entry about the Adobe PDF exploits reported that the attacks were targeted attacks on a handful of specific organizations. Their writeup on the trojan.pidief.a still has a low treat assessment

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low

It looks to me like these malicious pdfs are being spammed more widely right now. We've received files detected as exploit-pdf.shell.

Subject Lines / File names
Personal Credit Points / report.pdf
Personal Financial Statement / report.pdf
Statement of retained earnings / dept.2007.10.26.3689762.pdf

Ars Technica reports that Google is now giving Postini protection to its enterprise customers who use its hosted email services. That's great, but I dont really trust them with my data let alone my customers. For smaller businesses wth less in house expertise, I can see that as a good play.

ADP posted the following on Friday.

Beginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not.

If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data.

WHAT YOU NEED TO KNOW:

Here is what you should be on the lookout for:

The "from:" address in these e-mails may have been spoofed to look like it is coming from ADP such as "emplservices292823@adp.com " or "adpcomplaintcenter@adp.com".
The subject line may read: "Agreement Update for [Your Company Name (Case id: ______)]" or "Complaint Update for [Company Name (Case id. #)]".
The e-mail may have an attachment named either Agreement.rtf or Agree.rtf or may instruct you to "download a copy of your complaint."
These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.
ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.

WHAT YOU NEED TO DO:

If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.

WHAT IS ADP DOING ABOUT THIS:

ADP's security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.

We appreciate your understanding as we work with law enforcement and you to resolve this matter.

Third Brigade product integrated into Trend Micro antivirus software

We've decided that McAfee Portalshield for Sharepoint isn't cutting the mustard so its time to look for other products. The Sharepoint guys are working on upgrading to Sharepoint 2007. From what I've heard McAfee doesn't support Sharepoint 2007 yet. McAfee Portalshield has had a couple annoying habits anyway. Once we installed it, we had to restart IIS on a scheduled basis, otherwise the sites would become unavailable. We also had one compressed file that would constantly get detected, and we could never figure out where the file was located.

One of the sysadmins installed Forefront for Sharepoint and asked me to check it out. I really don't remember why we didn't go with this a year ago. I like Sybari products and this should be pretty much the same thing as the newer Microsoft Forefront branded products.

As I began to eval, I attempted to upload an eicar file. Forefront successfully detect this, but I also received a detection from Symantec Antivirus Corporate Edition (the file system antivirus) for Eicar in C:\Program Files\Microsoft Forefront Security\SharePoint\Data\ADF\VxData\eicar.00.ext. I figure that I need to exclude the data directory in SAV. It would be nice to find a KB indicating that, but no joy thus far.

Next, I uploaded cain.exe into my Sharepoint My Site. Actually, it rejected cain.exe because it is an executable so I renamed the file to cain.ex_. Sybari had a incredibly stupid configuration where they only scanned file types known to be potentially malicious (this setting isn't visible to the admin and is on by default). It seems that this behavior has held over to Microsoft Forefront, because cain.ex_ is not detected on upload. I initiated a quickscan of My Site in Sharepoint. Forefront still detects nothing, but I received a detection
File: C:\WINDOWS\Temp\3e540056.$$$
Virus: CainAbel
It appears that Forefront is unpacking its scanned files in Windows\Temp. This seems incredibly foolish. I'm wondering if this has something to do with using the Clean setting rather than the delete setting. Either way, this shouldn't happen.

There are several lessons to be learned from the recent penetration of monster.com and the subsequent phishing attempts. In this attack, recruiter accounts were compromised and used to download around a million monster user records. These records were used to created targeted phishing attacks purported to be from interested employers.

The first thing I'm wondering is how these recruiter accounts were compromised. Was the account bruteforced? If so, why did Monster allow the use of weak passwords? Why didn't Monster lock the account after numerous bad password attempts. I sure hope the people whose accounts were compromised didn't use that password anywhere else, or if they did, they should be frantically changing them.

Even if the account(s) were compromised through the use of a keystroke logger on the recruiters system, why were they able to download so many records. Shouldn't that raise some sort of red flag?

In the case of the phishing, users need to be aware that requests for their personal, bank and credit information needs to be treated with suspicion. Beware what information you make available on such a site in the first place.

As I wrote about this morning, I've had some issues with SAV 10.1.6.6010 and ccapp.exe.

The first issue with ccapp and vptray not loading was traced to bad permissions on the files msvcp71.dll and mcvcr71.dll. The logged on user didn't have rights to the files. They were needed for ccapp.exe and vptray.exe to run. That problem is solved. Lets here it for process monitor from Microsoft.

I called Symantec about the SMTP issues. They suggest that I remove the internet email scanner where it is a problem. Seems odd after all these versions that I'd suddenly have a problem with it. I checked with my fellow Symantec Admins over at myitforum but no one else has had this happen. Looks like I'll be deploying without the Internet email plugin.

I had one other problem on one computer. ccapp.exe - Application Error. The instruction at "0x010e1feo" referenced memory at "0x010e1feo". The memory could not be read.
After uninstalling the internet email scanner the problem did not return in our brief testing. I'll have to keep an eye on that.

I'm trying to upgrade my Symantec Antivirus CE to 10.1.6.6010. In the small test group I've got going right now I've got two issues.

1. the error "The application failed to initialize properly 0xc0000022." for both ccapp.exe and vptray.exe occurs when the guest account logs in. (I need to do some checking to see what happens when I log in as a regular user).

Investigation with SysInternals Process Monitor shows that it checks for msvcp71.dll in c:\program files\common files\symantec shared\ not finding it there, it finds the dll in system32. After opening it, it then tries to write to it. Of course regular users cannot write to dlls in system32. Actually on my computer, it looks like the user who did the installation gets full control and no one else gets any access.

Another user reports that ccapp crashes at logout and the account never successfully logs out.

2. I'm also having reports of trouble sending email, but I haven't checked into that yet.

I'll either update this post when I get to a solution, or create a new post with a trackback to here.

Over at BroadbandReports, I ran across a thread linking a wilderssecurity thread with screenshots to just about every antivirus product. One of the posters noted that some of these antivirus products allow you to "skin" them.

Call me an old fuddy duddy, but skins have no place on antivirus products. I seem to recall both Winamp and Real Player having security vulnerabilities due to their skins. That may be acceptable for media players which need to be hip. I just expect my antivirus to work. I dont want to know its there.

We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was "Hot Pictures." Sunbelt Software's analysis of this file is really good. You can view that online here.

The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.

I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.

I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).

update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we'd already caught those messages.

I received what appears to be yet another false positive in Symantec Antivrius. Adware.cpush was detected in c:\program files\filezilla\uninstall.exe.

Filezilla is a ftp/sftp program from Mozilla. This has been on my computer for a while, so I tend to believe it is a false positive. I'll update this thread if I see anything from Symantec on this subject.

update 7/16 12:20pm:
Symantec sent ouf the following email
-----Original Message-----
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Monday, July 16, 2007 12:13 PM
Subject: LiveUpdate posting to correct False Positive
The July 16, 2007 LiveUpdate posting will correct a false positive detection
on some installers or tools created using the Nullsoft Scriptable Install
System (NSIS). This FP caused such files to be incorrectly detected as
Adware.CPush. This FP was first introduced in
RapidRelease definitions build number 70817 (version 07/14/2007 revision 32)
and in the 07/15/2007 revision 2 LiveUpdate and Intelligent Updater
definitions. It was corrected in RapidRelease definitions build number 70822
(version 07/15/2007 revision 4).

Today's LiveUpdate and Intelligent Updater definitions will also correct
this FP. These definitions will have the version 07/16/2007 revision 21.
Current ETA for posting is 10:30AM PDT. An additional message will be sent
approximately 30 minutes before the LiveUpdate virus definitions are
available for download.

Symantec sent an email early today to its Platinum customers reporting that they are working on a tool which will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security.

The tool will update all supported versions of SAV and SCS to the latest decomposer engines to address the SYM07-019 vulnerability.

They estimate this tool will be released by the end of the day on Wednesday July 18th, 2007 US Pacific Time.

I wasn't particularly looking forward to upgrading my 10.0.2 clients to 10.1.6. So hopefully this will make it possible to easily upgrade the vulnerable component.

After hearing about Postini's sale to Google, I wrote earlier this week wondering if Message Labs were also on the market.

A Friday article in the Financial Times reports that Message Labs has been positioning itself to be bought. As Brightmail, Frontbrdge and now Postini were purchased, it is hard for me to see if Message Labs is the the odd man out or if their value is greater now that other options have been removed. The article also states that if a sale is not complete, an IPO could be in the works (reminds me of the Sybari IPO where Microsoft bought the company).

The article reports that likely buyers are McAfee, TrendMicro, IBM and HP.

Multiple vulnerabilities have been announced today in Symantec Antivirus. The most critical of these vulnerabilities could allow arbitrary code execution.

Currently users of 10.0 and 10.1 are being advised to upgrade to 10.1.6.6000. 10.2 is not affected. Hopefully the guidance here will become more clear. During last year's SAV vulnerability it took quite a while before MSP files were released for all supported product branches. Right now, I would have to completely upgrade the client instead of installing a small patch.

Yesterday, I attended a webinar on Symantec Endpoint Security 11. It should be available for ondemand replay at some point on at symantec.com.

A lot of people including myself have been very negative about the Symantec product, virus detection rates, and product support. I'm actually starting to believe that Symantec is turning things around. Yes, I know this brief ray of hope will soon be crushed by more Symantec nonsense. But for now, for this blog entry, I'll focus on the positive.

Symantec Endpoint Security, formerly code named Hamlet, is a single agent, single console solution. In the past people have implemented piecemeal solutions. So the clients have anti-virus products, antispyware products, and a personal firewall. Each of these products require a separate management point. They each require upgrades and management. There is a incredible cost to the old "best-of-breed" approach. Back then "kitchen-sink" solutions like Symantec Client Security were bloated beasts that weren't the best at anything. McAfee Total Protection was the first vendor to grab my attention with a consolidated approach. Lets see what Symantec brings to the table.

• Antivirus - as I've blogged about before, Symantec is doing much better on the AV tests.
• Antispyware - Includes Veritas technology VxMS to detect rootkits. They feel this is superior to rootkit detection in other products. I'm not convinced though that the product is overall better in spyware detection than Webroot or Sunbelt. But it may be worth it to preserve resources.
• Intrusion Prevention (Network and Host) Generic exploit blocking (currently in SCS) Proactive Threat Scan (from Whole Security) Deep Packet Inspection
• Device Control - restrict data leakage (not a lot of info on this that I noted)
• Symantec NAC

This is all with a single agent. According to the presenter McAfee is using multiple agents in its product.

They had some interesting memory baseline numbers:
Symantec Antivirus Corporate Edition - 62 MB
Symantec Client Security - 129 MB
McAfee Total Protection - 71 MB
Symantec Endpoint Protection 21 MB
That is a very significant number. We have been very concerned about each security solution adding a burden to the computer.

There is a public beta. To sign up for that, or for additional information, check out www.symantec.com/endpointsecurity.

This sounds interesting. Of course I would never install a dotZero release from Symantec. But about 6 months after release this could be of interest.

On Friday, I received an email from postcards@kissesonapostcard.com with the subject: "Hi there, an old friend has just sent you a greeting card and a kiss!" It was sent to the infosec board's mailing list so there is no chance this is legit.

The message contained a link, "Get your greeting card here" hxxp://send.kissesonapostcard.com/a_friend.exe (hxxp munged by me to avoid people accidentally clicking on a link).

Kaspersky detected this file as IRC.Zapchast so I submitted the message to my email hygiene provider.

Now most people wouldn't have done that because their email antivirus product has no hope of detecting links to malicious code in emails. Since mine purports to do this, I submitted the email. Surprisingly, two days later, I got a email back with a case number. Another two days later, I was asked by support to save the offending message as a .msg file and then zip it and send it to them. That kind of annoyed me because I included full headers and the html of the message.

As long as I was thinking about it this file, I ran it through virustotal again. This time most of the vendors are catching it.

This evening after the latest SAV update, I'm seeing detections on all of my systems with the Windows Resource Kit installed. The files instsrv.exe and srvany.exe are detected as Hacktool.

Both files are used when creating a service.

We'll see if they back off this detection, or if it will be yet another thing we have to whitelist (and whitelisting doesn't work so well in the version of SAV I am running. Vendors need to do a better job being flexible about potentially unwanted programs.

update - received an email from symantec
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Friday, June 22, 2007 10:07 PM
Subject: Symantec Security Response will post LiveUpdate virus definitions today, June 22, 2007 PDT

This posting is in response to a false positive detection on the file srvany.exe from Microsoft's Resource Kit. This FP was first released in Rapid Release definitions 70045 and later in the 6/22/2007 rev.33 Intelligent Updater and LiveUpdate definitions. The false positive has been corrected from Rapid Release definitions #70065. Anadditional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.

Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.

According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.

**update** - Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.

The antivirus gateway detected an interesting email this evening.

Envelope From: nobody@[edited]
From: cmplntscentercase[at]bbb.org
Originating IP 207.210.105.78 which is an IP address in Canada according to ARIN.
Subject: Complaint Case Number: 363619942 Joe User
(It contained the name of the recipient.)
File: Embedded inside the attachment complaint.doc in an exe 'MicrosoftWordhasencounteredaproblemandthedocumentwasnotfullyloaded.Pleasedouble-clickontheicontoreloadmsword.exe'

There were multiple detections on this file:
W32/Heur-Dropper.gen.a-5e19-3e29
W32/Generic
Exploit/RTFEmbeddedExe

This email is similar to http://orwwa.bbb.org/release.html?value=61 from earlier this year. In that instance the users were tricked into clicking on a malicious link rather than conned into opening a viral attachment. According to this SANS diary entry, the link was to a EXE inside of a RTF document. So while the style of attack isn't new, this email could indicate a new spam run of this virus.

Here's a sunbelt blog entry on the same virus. In that blog entry Alex Eckelberry reports that the file downloads more malware, tightvnc and winrar. He also has the body of the message which confirms my suspicious based on the message subject that this is highly targeted.

PC Mag has an article with the results of the latest av-test.org Antivirus bakeoff.

I'm kind of surprised Symantec did so well. It seems like just a few years ago they were days behind other vendors in releasing updates. They even beat McAfee who only had a 87.28% detection rate.

The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here's the result.

File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES

Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki

As Steve Spurrior would say while coaching the Redskins,"6 and 10, not too good." Virustotal will pass on this file to the vendors who didn't detect it and they'll "coach 'em up."

A posting on the MyITForum.com SMS discussion list reports that Symantec Antivirus 10.x and above may include a capicom.dll.

MS07-028 says that third party applications that distribute the Software Development Kit version of capicom will need to be updated.

It is not know yet whether we can just replace the vulnerable version of capicom ourselves, or if we need to wait for a SAV update. If its the latter can this be a liveupdate fix or will a MSP be issued.

Regular readers of my blog know that one of my many duties at work is to administrate what was once known as IMLogic (now known as Symantec IM Manager). I've complained loudly and frequently here ever since Symantec bought IMLogic . This post is more of the same. ;)

IMLogic would keep me up to date about new releases. Symantec released version 8.2 without letting me know.

IMLogic worked hard to stay on top of new developments in the IM industry and let me know what actions I should take. Yahoo announced their web IM a few days ago. I still haven't heard from Symantec about the best way to make sure that Yahoo Web IM is either blocked or monitored.

When Symantec bought IMLogic and Microsoft bought Sybari, I predicted that the Sybari - IMLogic integration was not long for this world. As I read the Symantec IMManager release notes for version 8.2, I see that Antigen for IM is no longer integrated. Here's a support article about that.

Fortunately, it seems this version doesn't have a lot new that I care about.

Real-time Enterprise Vault export capability
Groups and Group policies based on IP address ranges
File transfer control by type
Internationalization And Localization Changes
VMWare Support
Oracle 10g Support

AVComparatives.org has a new report comparing malware testing organizations. Based on the subject "Anti-Virus Testing Websites: An Overview on Which Testing Sites can be trusted and which cannot" I was kind of expecting a comparison of the various online scanners. Instead I'm greeted by a paper with some of their testing philosophy and why they are better than everyone else.

It didn't do much for me, but I'd still suggest adding their RSS feed to your reader so you can keep up on their new studies.

I'm seeing email detected stopped by my AV.

Subjects:
Worm Activity Detected!
Worm Alert!
Virus Detected!

the attachment is a password protected zip file. The name isn't coming through cleanly because my vendor replaces special characters with codes I don't understand.
patch=2d3834.zip (2d may be code for "-" and then I think there are four random numbers in the file name).

update - sans now has a blog entry on this http://isc.sans.org/diary.html?storyid=2612

At 2:15pm today,I started receiving virus alerts indicating a new virus is being spammed using fake war news to socially engineer the recipient into opening the attachment.

SANS has a post about it here.

Characteristics I've seen:
Subjects:
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
Missle Strike : The USA kills more than 1000 Iranian citizens
Missle Strike : The USA kills more than 10000 Iranian citizens
Missle Strike : The USA kills more than 20000 Iranian citizens

Attachments:
movie.exe
Read More.exe
video.exe
Read me.exe
news.exe
Click here.exe

If your antivirus is capable, or if you've just blocked executable attachments, this is a non-event for you. Otherwise, warm up your thumb, and keep hitting reload until your antivirus vendor provides an update.

I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.

I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I' would like to replace the corporate antivirus that we currently use on our desktops and servers. I've been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec's lack of support, virus definition corruption problems and confusing update structure.

Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They're like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.

Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren't available and all that is left is heuristics and behavior profiling.

The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don't have a problem with it being in my environment. But because Symantec made an error in the version I'm running, I can't completely exclude it from detection.

It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.

Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that's a real issue. Is it better or worse than my Symantec problems.

This afternoon I upgraded Symantec IM Manager from 8.0.12 to 8.1.4. I needed to upgrade to allow the new Live Messenger 8.1 client to work. IM Manager 8.1 is a different code branch than 8.0, but I wanted to see what was new in it as long as I was upgrading.

As I installed I noticed that it was adding .Net 2 to the server. After the install, I ran a Microsoft Update, and sure enough, Symantec installed .Net 2 without the latest security patches.

The 8.1 has a different web design than 8.0. I kind of like it. While browsing through the options, I notice that liveupdate is one of the listed update methods. The IM Manager updates are still separate. They have embedded the Symantec scan engine into the product so if you enable it (enabled by default on new installs) it will use Symantec AV to scan file transfers. I currently use Microsoft Antigen for this purpose. Because we don't have a lot of file transfers via IM, I may save some money at renewal time by ditching the Microsoft Antigen.

Windows Vista is available for purchase through retail channels beginning January 30th. Its times like this that make me wonder, "where is my serial number for Symantec 10.2?" To my knowledge, I haven't been sent a serial number by Symantec. As a result I don't think I can download SAV 10.2 which is the version you need to use with Vista.

This is the Tao of Symantec. One serial number for 10.0, another for 10.1 and another for 10.2. God forbid you want to use the latest release and you're not a platinum customer. I've just about had it.

To deploy 10.2 clients, I'm going to have to upgrade my parent server first. It is not good SAV mojo to have the server be a lower version than any of the clients.

With the release of Vista, I think the pressure for us to provide SAV for Vista clients will grow. It started with the volume licensing release of Vista, and grew from there. I don't know how I'm going to find time to work with SAV 10.2 unless I come in on the weekend and do it. That assumes I'll have found a working serial number.

Miles to go before I sleep, Miles to go before I sleep.

My manager asked if we had any news on when Symantec IM Manager (formerly IMLogic) will support AIM 6 and Triton. Its been over two months since Symantec sent out a notice saying that AIM 6 will not work when IM Manager is used. Its been over four months since the customer advisory that AOL Triton 1.3 and 1.5 will not work.

When you invest in a vendor (such as Akonix, Facetime or Symantec) you are betting that they will continue to develop the product. There are always new client versions, and if the vendor doesn't move to support them, your users will be left in the IM stone age.

My call to support to ask about their progress in supporting these products did not begin well. After waiting on hold for 15 minutes, I spoke to the person who collects the info necessary to route the call. My call was answered by the technical guy who said "hello." What the hell is that? Who am I talking to? It sounds like I was routed to the janitors closet. Next he asks me for my case number. Shouldn't he already have that in front of him? So I ask my question, when will AIM 6 be supported by IM Manager? His response? "What's that." Well that instills confidence that this call will go well. So I tell him, that AIM 6 is not supported and does not work with current versions of IM Manager, I have checked the knowledge base and read the article on what is supported already. What I want to know is are they working on it, and what is the timetable. His response? He tries to read the KB article about supported clients to me.

I then tried to call Symantec customer service both to comment on this idiot and to try to get the answer. Unfortunately customer service has a hold time of 45 minutes thanks to the "new" licensing process. The licensing process is not new, I fought with that abomination in November and December.

Symantec has done as I predicted. They have bought and ruined yet another good product.

F-Secure has a blog entry on the latest virus varients from the stormwatch virus.

Subject:So Unique
Feeling Horny?
Full Heart
Sending Kiss
Just You
Heart of Mine
I Love You Soo Much
[events]Our Wedding Day
Love at first sight
Dream Date Coupon
Back Together

Attachment: flash postcard.exe
postcard.exe
greeting postcard.exe
Greeting Card.exe

Those are just some of the ones I have seen.

I'm seeing some interesting things in email this weekend. The first is some email detected as "Exploit/Mime-boundary-quote". MIME boundary issues may be exploited so that a SMTP gateway email scanner will not detect a virus, but Outlook will be able to interpret the MIME as an attachment. Well, its not getting by our scanner.

The second thing I'm seeing is more Stration virus variants being spammed out. As you'll recall, Stration is most often characterized as having an attachment named postcard.exe. I'm also seeing an attachment message.dat.cmd. At the time we received the new Stration it was detected heuristically. The signatures weren't yet available.

F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject "Happy New Year!"

I saw that at my site last night. Actually, I probably wouldn't have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn't get filled up with all the phishing detection notifications.

eEye has sent out an email alert about a new worm they are calling Big Yellow attacking systems running versions of Symantec Antivirus and Symantec Client Security.

This is the same vulnerability that was patched by Symantec in June 2006. There were previous report of exploitation on EDU networks back in November. But according to eEye it is starting to gain some traction.

Check if you're running a vulnerable version of SAV 10 or 10.1 here. And as always practice defense in depth by running a personal firewall, particularly when not on a private network.

On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.

Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).

The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I've used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn't take that long.

This evening I received several virus alerts from a computer indicating a Bloodhound.Exploit.104 infection in a file in the temporary internet files folder. The filename ended in "videojs.js".

Bloodhound is Symantec Antivirus's attempt at a heuristic detection. The writeup at the Symantec website indicates that Bloodhound.Exploit.104 is a heuristic detection for Microsoft Internet Explorer DHTML Node Normalize Vulnerability (as described in Microsoft Security Bulletin MS06-072).

A quick Google revealed that videojs.js is a javascript used on the website video.google.com. A visit to that website, and soon I too had Symantec detecting the bloodhound.exploit.104. (and the video would not load) I am using the 12/12 rev 19 virus definitions.

I looked at www.symantec.com/avcenter and found that there is a newer virus definition available. I used liveupdate to update to 12/12 rev 51. This seems to have solved the problem.

The SANS Internet Storm Center is reporting exploitation attempts against unpatched versions of Symantec Antivirus 10 and Symantec Client Security 3.

The vulnerability first announced in May (with patches trickling out over the next month) allows remote code execution on a computer via Symantec's remote management port. To reiterate, this vulnerability is exposed remotely only in managed versions of these products.

DShield is showing a remarkable uptick in scans against this service port currently.

To mitigate against this attack, personal firewalls should be blocking access to this port when the computer is on the Internet. When on the corporate network, the Symantec Antivirus management ports should only be accessible by the Symantec parent server.

Of course the best bet is to be patched. The list of vulnerable and patched versions is available in the Symantec writeup.

The post is mainly an as it happens record of a call to try to get a license file for one of my Symantec products. Its not necessarily going to be funny, interesting or informative. Sort of like the rest of my posts.

Right now I'm waiting on hold for Symantec. It took 20 minutes to get through to someone in customer support. I can't get a license out of their darn licensing website. The customer support guy couldn't do anything but read irrelevent knowledge base articles to me. ("How to download from fileconnect", "How to register at the licensing site"). Hello are you listening to me?

So this guy decided pulling it would be too much work to actually solve my problem so he is transfering me to the "licensing specialist." Any bets on whether this will actually be a licensing specialist or if has he merely dumped me back into the 20 minute customer support queue in hopes that he wont get my call the second time around.

- 30 minutes in - I'm reminded of the advice in "Internet Help Desk" by Three Dead Trolls in a Baggy, "always put them on hold, it takes the fight out of them".

- 33 minutes in- I'm installing JAVA Runtime Environment 1.4.2-12 so maybe my McAfee for Sharepoint will work.

- 43 minutes in - wow, this is the most ecclectic mix of music.

- 53 minutes in - shouldn't have drunk so much Pepsi

- around 65 minutes in - lost the connection.

- Tried to call the number I was given for customer service and it is not valid .

New call to support since its the only number I have. Vent a bit about my Symantec experience so far today. Guy goes to check on something

-10 minutes in on second call -
guy says I dont need to talk to licensing and the hold time there is one hour right now (would have been nice if they guy on the first call had set that expectation).

I'm being transfered to customer service again. Oh and apparently the number I have for that is correct, not sure why I got a busy signal then.

- 34 minutes into the second call - the customer service drone could not help me and is transfering me back to licensing. His oh so helpful suggestion is that I call back in the morning when the hold times are less. Quote of the call: "You're from Virginia, where is that?"

- around 90 minutes into the second call, I got licensing, and we stepped through the website. We found that it had actually imported the newer certficate even though it didn't display on the website. There was an advanced search that I hadn't tried that turned it up. Once I did that there was an option to register the serial number. that's kind of odd because that is what I thought I was doing when I imported the serial number into the website.

They've made a complicated mess of licensing that is causing a lot of problems. I'd say of the people I talked to today, two cared about solving the problem and reducing frustration. The rest of them couldn't be bothered.

This evening at work someone is attempting to spam us with email containing a emule.exe attachment. Its getting detected as FormSpy by Message Labs.

According to the McAfee blog, previous versions of FormSpy have "hooked mouse and keyboard events in the Mozilla Firefox web browser. It can then forward information such as credit card numbers, passwords and URLs typed in the browser to a malicious website."

Today Symantec I'M Manager (formerly IMLogic IMManager) took far more of my time than I really planned. Last night I got approval to block AIM 6 users until I'M Manager supports that version. The method provided by support was to redirect or block a specific host name. The problem, which I discovered later is that host name is also used for AIM Triton. So redirecting that host name broke AIM Triton which had been working for months. I really don't see a way to block AIM 6 without taking out Triton as well. It would be easier to deal with this if I was sure Triton 1.3 and 1.5 were successfully being filtered by I'M Manager before. If they were bypassing the I'M Manager protection for the past few months, I dint feel back about blocking them now.

So that was my morning. After a series of afternoon meetings, I found that I'd received the I'M Manager renewal license certificate in the mail. Unfortunately, Symantec has changed how you download license files and I haven't figured out how to do that yet. I also notice that I the Serial Number gives me access to the 8.0.x version of the product rather than the newer 8.1. What's the deal with that?

fixing title, doh!

Symantec has had a problem with virus definition corruption in the past few versions. I must say the way it fails in version 10.0.2 is rather annoying. In versions 8 and 9 it would fail by having the service stop and it would no longer contact the parent server. So you would have to audit for missing machines in the SSC or use a product like SMS to look for systems with stopped Symantec Antivirus services. There is also an application log event indicating virus definition corruption.

In 10.0.2, the client still reports into the SSC, but it often does not list a scan engine number. the definition number does not update. This is better because you can look for systems that are online with out of date definitions or a blank scan engine number.

The part I find a problem is that in the application log of the afflicted computer, it says "virus definitions are current." There is no indication to the user that their sav is broken. When you look at c:\program files\common files\Symantec shared\virus defs, I am seeing virus defs from a couple of days ago even though the SSC is reporting one of the older defs being in force.

So how do I fix it when I get into this situation? I've heard of some people at other companies who would replace the contents of c:\program files\common files\symantec shared\virusdefs\ and c:\documents and settings\all users\application data\symantec\... I guess I'm a bit scared to do that. I wonder if I have to match OS version. Do I have to match SAV versions? Writing scripts saves time in the long run, unfortunately you have to make time now to get it right. I just dont have that time. So I do things the manual way.

The Manual Way
In c:\program files\common files\symantec shared\virusdefs:
1. delete the most recent folder containing a virus def. In this case its 20061025.039
2. Edit definfo.dat to match the redaced number of virus defs. In this case CurDefs changes to 20061024.020 and last defs changes to 20060930.002
3. Edit usage.dat. There should be one "date" indication followed by a list of sav components. In my case I see:

[20060930.002]
navcorp_70=1
navcorp_70_2=1
[20061025039]
defwatch_10=1

Next go to c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\. I remove all the files in this directory (not the folders). I then remove all the folders in the i2_ldvp.vdb folder.

Stop and then start the symantec service. If everything is happy it should create a new folder with todays defs in the virusdefs directory (assuming you are on a corporate network getting updates through vdtm) otherwise run liveupdate.

This rant seems to have turned into a knowledge base article. Keep in mind that symantec.com/techsupp is a much better place to get symantec help. I'm just rattling off some thoughts.

This is rather weird, every system has the 20061024.020 and the 20061025.039 defs in the folder but report in a previous def version. How very odd.

Tonight I'm working on a brief article for our the I.T. Department's newsletter that is distributed to the company.

I'd noticed that some outbound email was being detected as a virus when people copied a webpage into an email and sent it. All that Javascript made the scanner unhappy. I think the rotating banner ad was also a problem because the email was then different each time it was loaded.

So the article was pointing out how to avoid the problem. The Exchange administrator advised the best way is to just send a link rather than the entire article. That reminded me that some infosec people don't believe in sending links. Rather you're supposed to just tell the recipient to go to site X and enter a search term.

I can see this now. "Go to www.fnord.ch and search on Bin Laden. You know this is not a virus because I'm making you type in the link and do a search yourself." Where's the protection there? Of course if its "Go to the BBC site and search on Bin Laden" then its safer. Its safer because people are to lazy to do that much work unless nudity is promised. :)

Security through unusability may be acceptable to some, but its not to me.

Symantec wrote about the threat of EFS being used to hide viruses from administrator accounts and system.

Of course if you don't run as administrator, the virus wouldn't (as easiliy) get the chance to create to create a new administrative user and use that account to encrypt itself. Another suggested best practice when Windows 2000 first came out was if you aren't using EFS, then disable it. If either of these practices were followed, this wouldn't be a problem.

McAfee wrote about this problem 6 weeks ago.

There is a virus family now that uses this technique.

Mondaq.com has an article on the Scansafe v. MessageLabs lawsuit. The website requires free registration.

MessageLabs was under an agreement to rebrand Scansafe's HTTP security as their own. After about a year of that, MessageLabs decided to take it in house, giving two months notice.

I've had great fun in my HTTP Security project as I've dealt with both vendors, and am fully aware of the back story. I would guess that the vast majority of MessageLabs customers have never heard of Scansafe.

Scansafe sued alleging the contract requires longer notice than a two month notice, and also that MessageLabs in creating their in house version is living off the ScanSafe good name.

I agree with the Judge in this case. Its kind of hard to be accused of misappropriating someone else's goodwill when you are licensing their software to use under your own name. You are authorized to appropriate the goodness of their software as your own. The problem comes in when there is an implication that the new in house version called version 2.0. They say that implies its based on the original software.

So now MessageLabs is required to tell prospective customers that the Web Security is not based on Scansafe. Apparently they are free to then tell the users horror stories about Scansafe's product and why MessageLabs had to bring it in house to do it right.

Apple somehow manages to blame Microsoft when Apple ships a virus preloaded on some IPods. Gee, I thought Apple was super secure and didn't need any of that fancy stuff like antivirus. Most companies have learned that scanning for viruses before shipping is part of quality control.

I expect that soon User Friendly will have a comic strip showing how the Microsoft blackops team planted this virus on the iPods.

Here's F-Secure's take.

I've been beating this drum for years.

Joris Evers wrote at news.com yesterday about the problem of targeted virus attacks. The headline calls it the future of malware.

One of the interesting things he notes in the article is that targeted attacks are using exploits in commonly used programs. So if the bad guy has a previously unknown zero day in Microsoft Office, it will get past a virus scanner and it will get past primitive file extension blocks.

The amount of zero day attacks aren't limitless (it only seems that way). So the attacks would tend to be used against the high value target.

There was another article this week, that suggested its hard to get the antivirus vendors to even write a signature when one company suffers a targeted attack.

As I see it, the solution is the same as before, limit administrator rights, use HIPS, and used heuristics/sandboxing where possible.

John McDonald writes in the Symantec Security Response Weblog regarding the importance of updating virus definitions.

Yes, updating virus definitions frequently is important. Why then does Symantec only supply a liveupdate once per week to people still running version 8 and 9? Why does Symantec only update the Intelligent Update once per day? Why do I have to use XDBDown to be able to check hourly for the latest updates? Why does Symantec discourage the use of the Rapid Release definitions? Why does Symantec often rate poorly when comparing vendors update speed when new viruses come out?

The author reports that, "Among the home users surveyed, just 46.3 percent said their antivirus software is up to date." Is this an indictment of the usability and effectiveness of their antivirus software? Shouldn't the vendor work to make the software stay up to date on its own, not break, self-heal where possible, and lastly inform the user if they need to take action to make it work again.

His defense of virus definitions is kind of weak in my opinion. The author states that with the exception of SQL Slammer, most viruses start out slow, and you are protected if you download the virus definitions before it reaches you. This reminds me of the fire department. They aren't there to prevent you from ever having a fire, they are there to prevent it from destroying your whole neighborhood. Frankly, I 'd rather not have the fire in the first place. In this age of targeted attacks, motivated by money and backed by criminal concerns, I am not willing for my company to be the victim that allows everyone else to stay safe.

I'm rather disappointed with his stance against heuristics. I think it is working rather well for McAfee thus far. In this age of zero day attacks, we aren't going to turn to third party patches, and antivirus can not always protect us. We need to consider adding HIPS to the corporate desktop protection suite.

I'm seeing some viruses detected this evening with generic names.

Subject: hello
Subject: Mail Delivery System
File:document.msg.exe
SubJect: Fwd: ls878grz.dallas.net mail server report.
Subject: mail server report
File: Update=2DKB3500=2Dx86.exe
body.elm.scr
Virus: New Malware.n

Subject: Error
File: body.msg.pif
Virus: New Malware.j

Here's an Australian IT interview with Message Labs executive Adrian Chamberlian.

Sure its a bit of marketing material, but I find it interesting.

Imagine a world in which terrorists target government websites with millions of spam emails.

Or a world in which viruses take over your computer, turn it into a zombie, and use it to send out more spam.

It's called reality, and it's going to get worse.

The popularity of mobile phones means text spam will increase, mobile phone viruses will go from concept to reality, and voice spam -- automated calls that bombard you day and night -- will become common as marketers take advantage of cheap VoIP calls

They expect to see more companies turning to managed services such as what they provide. Actually that worries me a bit. If they are protecting too many desirable targets the bad guys might focus on them and how to penetrate the ML defenses.

I noticed that a few copies of W32.Stration were detected in the inbound email today. Its a nice break from all the Phishing and mytob.

It seems like someone decided that Symantec is no longer a favored company. I think it started last year when support hold times were up over an hour. Whatever the cause, SAV admins are looking for any opportunity to complain. SAV updates the product, complain. SAV doesn't update the product, complain. SAV doesn't provide updates in the method you'd like, complain.

Which leads us into today's item. An admin from the University of Richmond would like the ability to push out SAV updates via the Symantec System Center. Does he enter a feature request? No! He posts to the Full Disclosure mailing list as if this were some sort of discovered exploit.

Symantec does need to take a look at distribution systems such as those used by McAfee ePolicy Orchestrator or Webroot SpySweeper Enterprise. But ultimately, this is an enterprise product, and enterprises invest in products such as SMS to perform software rollouts.

Consumer Reports reviews antivirus products in its September 2006 edition. Most of the article requires a subscription, as a result I have not had a chance to look at it yet.

McAfee responds in their weblog. The author "Igor" obviously has no clue who Consumer Reports is. As a result, he is confused by the September 2006 date. Since the material is undoubtedly part of the September 2006 edition of the magazine, that is the correct way to date the article on their website as well.

Igor gets his nose out of joint because CR used a live fire test, creating new viruses in the lab. Igor prefers tests where three month old virus definitions are used so any virus that came out after that can be tested as a "new" virus.

Complaining about that reminds me of when a vendor complains about the method of disclosure to distract from the vulnerability in their product. (although there is actual damage from full disclosure and no damage from this private lab test). Igor needs to get over it. Signature based detection is dead, and antivirus products will be judged by their heuristic and behavioral protections. That said, CR needs to look into the standard virus testing methodology. They are unaware of the testing performed by av-comparatives for example. These types of tests are not as new as CR imagines.

http://www.avertlabs.com/research/blog/?p=71

Symantec IMManager 8.0.5 is out with release notes located here.

This release includes support for Yahoo Messenger 8.

Symantec IMmanager (Imlogic) support slipped further this month. They implemented futher changes to integrate the IMLogic purchase with their exisitng support framework.

The knowledge base was integrated into Symantec's existing knowledge base. Before it was possible to sort the responses by relevancy, date modified, and by how many customers used an answer. It was also easier to restrict the search results by version and product.

It is no longer possible to enter tickets via email.

Creating a ticket online has migrated to a new system, and I have not been provided with a password.

Calling support is now as annoying for IMLogic as is for the antivirus product.

It was easy to communicate with IMLogic. I am afraid that this has been lost in the Symantec purchase.

"Symantec Security Response will post LiveUpdate virus definitions today, August 3, 2006 to address an Adware.VirtualBouncer false positive detection on pskill.exe from Sysinternals."

Looks like Message Labs has gotten themselves into a legal entanglement with web scanning provider ScanSafe.

As I've posted earlier, Message Labs was reselling Scan Safe's web security product. This spring I received a notice that Message Lab's web security version 2.0 was available and it was now integrating Message Labs proprietary Skeptic antivirus software. In my opinion Skeptic is the most successfull antivirus heuristic available and I wanted to see how that did with web scanning. Scansafe has their own unnamed zero-day antivirus protection (I always kind of thought they had licensed skeptic but who knows).

A Judge has ruled that Message Labs calling their service "2.0" would cause customers to think they were still reselling Scansafe. ML will be required to disclose this change to all current and future web protection customers.

I had suspected Message Labs may have dropped Scan Safe and brought everything in house, but I wasn't sure. In the defense of Message Labs only people like myself who read press releases ever knew about the name Scan Safe. No one at Message Labs used that company name with me until I brought it up.

I was having problems sending email through my ISP earlier this week. The error message I was receiving from Outlook Express was

Your server has unexpectedly terminated the connection. Possible causes for
> this include server problems, network problems, or a long period of
> inactivity. Account: mail.example.com, Server:
> 'smtp.example.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes,
> Error Number: 0x800CCC0F

"An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email."

It turns out, that Symantec says:

If your Internet service provider uses the SSL in email protocol, you might have problems sending email messages. In this case, you might need to disable Symantec AntiVirus email scanning.

In order to be able to send email and use SMTP over SSL, I had to disable the Internet Email scanning within Symantec Antivirus. This is still secure because the file system real-time protection will still scan any file attachment. Message bodies will no longer be scanned, and the message will be scanned at attachment open/save rather than when the email message is open. For years Symantec didn't even have a Internet Email scanner in their corporate product, so I don't think disabling it is a huge risk.

About a month ago, my manager asked me for some help in interpreting the results from a scan she had run using Foundstone Superscan. She is in a security course as part of her Master's degree at GW. The scan results strangely showed port 110 and 25 open. This didn't make any sense to me. These ports shouldn't be open on a end user's desktop or laptop. I used SuperScan on my own desktop and laptop and obtained the same result. I tried to verify the results with Nmap but it kind of bombed out on me. Next,I looked at the most recent STAT results and saw that it too was seeing those ports opened. Multiple scanners agreed the ports were opened, but I couldn't determine why.

I tried to connect to the ports manually using telnet and netcat but no banner was displayed. It looked to me like I was not able to connect to the port. This remained a mystery unsolved until this week. I was at a HIPS seminar put on by Third Brigade and I read the readme for their product. It reported that Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email. I cant find confirmation in the Symantec Knowledge Base, but I have found confirmation through a writeup from GFI.

Shouldn't Symantec only be proxying outbound requests? This internet mail scanner plugin is intended to be only on end user computers. By answering requests from external scanners, they are opening the computer to any vulnerability in their SMTP and POP scanning service. Defense in depth would use a personal firewall to block such access.

This SMTP scanner seems to be more trouble than its worth. We've had issues sending email to some mail servers with it enabled. I'm going to post later about my experience with SMTP over SSL and this scanner. The computer will be protected by the File System Real Time Protection. This Internet Mail protection does little but preserve a clean inbox.

I spent most of my Saturday upgrading Symantec (IMLogic) IMManager. We have two servers running that, one acts as a proxy for public IM traffic and the other looks at LCS traffic. Prior to implementing IMManager we had a track record that once a month a user would get their computer infected through IM and then spread it to their contacts inside and outside the company.

The upgrade process wasn't the smoothest thing I've experienced. I didn't follow their advice to try it in a lab environment first. I felt like it would take me more time to set up the lab environment and even then it wouldn't prove that I could upgrade production successfully, only that I I could upgrade the lab successfully. I decided it would take about the same amount of time to fix whatever problem occurred on the production machine

I backed up the database to allow for a fall back position, I reviewed the release notes and all available documentation and jumped in. Symantec provides a lot of information in the documentation, the release notes, and in knowledge base articles, so I was able to create a decent upgrade plan.

I received an error on my update indicating "an error has occurred in the installation of the IM Manager. Description: Failed to install the IM protocols engine. Would you like IM Manager setup to continue." There was a support article with a few things to try. (missing dll, Windows Installer not started, and you're just screwed). None of those suggestions were relevent. I'm wondering now if I the problem was a failure to stop the upgrade service as they recommended.

To resolve the problem, I had to uninstall by hand. There is a knowledge base article for this, but its pretty obvious what to do. Delete the install directory. In the registry, remove the uninstall key and the service keys. I then installed 9 from scratch. Since I had a SQL database on another server, the configuration was preserved.

I am still missing support for Yahoo Messenger 8 (they are working on that for a future release), and I had had a weird problem where I had to reboot to get the server to listen for AIM traffic, but other than that I'm pretty happy. Hopefully it will continue to work on Monday when the users come back.

IMManager is integrated with Microsoft (Sybari) Antigen for IM to provide antivirus scanning. I upgraded that a minor build number as well. The only new development there is to allow encrypted LCS traffic and also support LCS 2005 sp1.

http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm

"A spat has erupted between the two security services companies
folllowing CA's accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware."

Amazing, I actually agree with CA about something.

ZDNet reports on a security breakfast hosted by email hygiene firm Message Labs. Graham Ingram, General Manager of the Australian CERT, said that the most popular brands of antivirus have an 80% miss rate in cases of new malware.

Its the same thing I've been stating for years. Signature based antivirus will let you down. They are very good at dealing with old viruses, but not so good with the new viruses.

eEye has reported a remote code execution vulnerability in McAfee ePolicy Orchestrator versions prior to 3.5.5.438. This version became available January 2006 but was not marked as a security update.

I tried to download an evaluation copy of McAfee Portalshield for Sharepoint today. After filling out the required contact information and accepting a license agreement, I'm taken to a screen that says

McAfee PortalShield 1.0.1 - 81.47 Mb -
www.mcafee.com1-800-338-8754.

I've got plenty of choices for a Sharepoint Antivirus vendor. So I'm thinking of just moving on to the next vendor on the list.

A post to the Full Disclosure list reports a local denial of service in McAfee Antivirus Enterprise 8.

http://seclists.org/lists/fulldisclosure/2006/Jul/0157.html From: John Doe Date: Sun, 9 Jul 2006 10:53:21 -0700 (PDT)

A local Buffer Overflow was discovered in McAfee VirusScan Enterprise 8.0.0.

The overflow can be triggered within the "Buffer OverFlow Protection Properties" by creating a buffer overflow exclusion. Then fill each field with data, and click ok, and apply

Process name: AAAAAAAAAAAAAAAAA......etc
Module name: AAAAAAAAAAAAAAAAAA......etc
API name: AAAAAAAAAAAAAAAAAAAAA......etc

This will trigger various exceptions based on amount of data added to each field.

This will DoS the AV . McAfee AV will not run correctly again until Buffer Overflow Protection is disabled or the Buffer Overflow Exclusion is removed.

Its become obvious to most that reactive signature based antivirus products are not sufficient to protect computer systems. In Kaspersky's viruslist.com Oleg Gudilin looks at whether proactive protections will be a cureall for viruses.

The article has a lot of interesting graphs from AV-comparatives.org and av-test.org.

I agree with him that vendors are using terms like proactive and zero day incorrectly. Some vendors have implied to me that no update is necessary, but when pressed on how they provided protection against a specific new threat, the first thing they said was an update was deployed.

Where the article falls short for me is that it only includes proactive measures that have been added into antivirus products in recent years. It would be interesting to see how full blown HIPS products shape up.

On the whole, I agree with the author that proactive measures are necessary but that these will not replace signature based detections.

Catching up on some things from while I was out this week. We got a spike in detections of a new virus w97m/kukudro.a. F-Secure reports that the file is sent in a zipped archive. When opened, it uses an ancient exploit to run automatically. This occurs in Office XP and 2000 even if macros are disabled. In Office 2003 the vulnerability does not exist so the exploit will obey the macro setting. In many environments, the default macro security setting is to ask the user what to do.

Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he'd be saying if they were giving it away as they probably should be.

I dont really follow this all that closely. I'm currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I'm paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.

The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.

In May 2005 I wrote about the security analogy about the bear, two guys one of home stops to put on running shoes. Its "good enough security." I dont have to outrun the bear, I just have to outrun you. I opined that that good enough security is only good enough for when your security exists only so you can check off a requirement with a regulatory agency. In reality, targeted attacks destroy "good enough" security. What if the bear doesn't care about your slower friend, what about when its personal.

In the June 2006 issue of SC Magazine, the opening editorial makes use of this analogy and makes the point that good enough security doesn't work against internal attacks either. They would argue that the main defenses are policies such as job rotation, separation of duties and rotation of duties.

I glanced at my blackberry during dinner and saw a whole mess of virus alerts such as the following:

The message sender was
alerts@CNN.com

The message originating IP was 81.168.6.17 The message recipients were user@$mydomain.com

The message was titled Osama Found Hanged The message date was Thu, 15 Jun 2006 22:02:54 -0700 The message identifier was (empty) The virus or unauthorised code identified in the email is:
/var/qmail/queue/split/0/attach/3384881_4X_AZ-D_PA2__Photo=20and=20Article.exe
Found the W32/Sdbot.worm.gen.as virus !!!

In case its not clear that is the admin notification when someone sends a virus. Looks like another run of viruses being spammed. How many times have they tried the Osama bin Virus since 2001.

eEye has released additional details on the SAV 10 vulnerability.
http://www.eeye.com/html/research/advisories/AD20060612.html

As rumored the vulnerability is in the remote management, and would allow an attacker to run code with system priviledges.

Overview:
eEye Digital Security has discovered a vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.

The SANS Internet Storm Center has information answering my question on the conflicting info on whether or not you have to open the attachment.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

They go on to say that the virus is poorly coded and does not do everything the writer is trying to achieve. There are two versions in circulation, with the second being an attempt at a bug fix.

Symantec 6/12 virus defs detect this.

Yamanner is written in Javascript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user's Yahoo email contacts.

Mitigation is tough at this time. You can't disable javascript and still access Yahoo Mail. The viral messages are from people you know. You could not open unexpected messages, but that kinda negates the purpose of the Internet in my opinion. Users in the Yahoo Mail beta are not effected.

There is some talk over on the Full Disclosure mailing list of a worm on Yahoo Mail. They say it is exploiting a vulnerability in Yahoo Mail so that when you open an email with the exploit it will send email to gathered yahoo addresses.

Symantec has a writeup here.

JS.Yamanner@m performs the following actions: Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

Contacts the following URL:

[http://]www.av3.net/index.htm
Sends a list of email addresses gathered to the above URL.

Its not clear from this if the user is required to open an email attachment to be exploited or if it occurs as the email message is opened.

EICAR is the antivirus industry standard for verifying that the antivirus scanner is on, it can detect something. Its a harmless line of text.

According to a post on the Full Disclosure mailing list, McAfee is misidentifying EICAR as elspy.worm.

The misdetection was reported when McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file was used. I have not verified this report.

Message Labs is rolling out an update to its antivirus scanning with a new feature called link following.

The free Link Following feature will automatically examine all email messages containing URL links. Upon seeing a particular URL for the first time, Link Following will allow the email to continue on its path while it creates a copy of the URL for further investigation. Link Following actively (either heuristically or manually) follows these links and checks the linked website for viruses or other types of potentially harmful content or payload. If a suspicious link is confirmed as viral, a signature is created and any further emails containing that link are treated as messages containing a virus. This means that they will be quarantined for fourteen days under the same MessageLabs Anti-Virus procedure currently in place.

Good article post over at boardfish (second post down on the page) on patching using the msp files. Its similar to the method I advocate.

I'm really not sure why they have him create a second administrative install point for the second patch.

Also not sure why you'd patch the install point and then reinstall from there instead of merely rolling the patches to the clients.

Are we free to use any MSI method we prefer? Or are there Symantec specific ways of doing things?

I dont see it reflected on their public bulletin yet (give it some time), but the ftp site now has updates for 10.0.2.2000 and 10.0.2.2001 to patch them with the resulting version of 10.0.2.2002.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.0/updates/

These patches keep trickling out, if you are running an earlier build of SAV 10 than is currently patched, keep waiting, I'd expect it out in the next couple of days.

ISC is reporting that the exploitation occurs through the management port that is opened on managed SAV clients. I haven't seen a source for that. If your personal firewall policy is really granular, for example listening to only the parent server on that port and no one else, then you may be in good shape.

If Marc had simply informed the manufacturer of the problem, and told no one else, we'd be in about the same shape as we are now. Their version of responsible disclosure does little to allow people using this product to protect themselves other than hope for fast patching. That isn't always feasible in an enterprise environment. I suspect most people are working on patching flash and quicktime still, that is if they bother to patch applications at all.

SANS ISC is reporting that

Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.

What exactly does this mean? In the not so distant past patching Symantec has meant testing and rolling out an entirely new version of the product. If you know anything about mst files, this is much simpler. I guess some people are expecting this to be deployable through liveupdate. Not sure where they'd pick up that expectation. Deployment of this patch will require a reboot, but if you used an enterprise ready method of deploying SAV in the first place, deploying a patch isn't that difficult. The biggest problem I expect is the user revolt that requiring another reboot will cause.

Here's the breakdown for those like me who know version numbers better than this mr mp pp versioning system.

For SAV Corporate Edition the following versions have patches available.
Unpatched-> patched
10.0.2.2010->10.0.2.2011
10.0.2.2020->10.0.2.2021
10.1.0.394->10.1.0.396
10.1.0.400->10.1.0.401

Surprisingly Symantec has not patched the initial release of SAV 10.0.2.2000. I dont know if a patch is coming for them or not. Apparently 10.0.2.2001 users need to upgrade to 10.0.2.2010 or 10.0.2.2020. Basically its applying one mst file for the initial update and then another mst file for the point patch. (can be combined in one command such as msiexec /p "patch1;patch2") I guess that is easier than doing a full upgrade to 10.1 although that would at least get some new features.

Additional patches for localization and platform specific (does that mean 64 bit?) has an ETA of Tuesday. I find that approach interesting because Microsoft chooses not to favor its English speaking customers, prefering to patch systems at the same time.

Symantec has released patches for Symantec Antivirus. The files are on their ftp site but the support site isn't updated yet.

It looks like since I'm running 10.0.2.2001 that I'm going to have to apply the 2020 build mst file (MR2, MP2) before I can apply this fix. :(

I guess I have to learn a bit about mst files. I think I should be able to chain the two files together but I'm not sure of the exact syntax to use when pushing that out with SMS.

Eeye is reporting that

a remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.

This is reported in SCS 3 and SAV 10. Currently it is not known if they have tested earlier versions or not.

This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.

The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.

If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.

Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occuring for a while.

While watching a little NASCAR this evening and IMing with friends, I decided to check out the Movable Type Support Forum. Movable Type is the blog software I use over at infosecblog.org.

The second I browse to http://www.sixapart.com/movabletype/forums/index.php I notice an odd script prompt:

Next I got virus alert popups from Symantec Antivirus telling me I had wmf exploits in my temp files!

It looks like Six Apart (the company that makes movable type) is using Invision Power Board version 2.0.4. A major vulnerability was announced on this version a few days ago.

Moral of the story, if you haven’t learned it already. 1) patch your system. 2) up to date antivirus 3) even when you aren’t surfing the seedy underbelly of the web, you can get exploits thrown at you.

I’ve sent an alert to the ISC as well as to the webmaster at six apart.

The Microsoft Anti-Malware Engineering Team reports on their blog that they will be participating in virustotal.

For those that don't know, virustotal.com is a way cool website where you can scan a suspicious file against around 10 vendors. This might help you see what wacky name of the week one particular vendor is using for a virus. Also it might show you who doesn't have detection available. That's why a few AV vendors have declined to participate in virustotal. So I think its pretty cool that Microsoft is getting involved.

I'm seeing some Word documents being detected by the Kaspersky scan engine as Trojan-Dropper.MSWord.Lafool.g. I dont see a writeup of that on the Kaspersky site. The latest lafool varient currently written up is "f". None of the varients actually have much if any information in the writeup. Looks like I need to figure out how to submit this to support.

update: I checked the Kaspersky forums and found other people noting the same problem.

To report things like this to Kasperky, send the files in an password protected archive to "newvirus at kaspersky dot com" an write in the subject "possible false positives".

I found that they already had new virus definitions available the rectified the problem. I've downloaded them and tested the result.

I hate it when I see something, and my reaction is :meh: so I dont blog about it, but then a day later it gets blogged by others. I see the ISC has picked up the news that the Symantec Scan Engine has a couple of vulnerabilities. This has nothing to do with the corporate or consumer product that you use on your desktop. Rather is a server that you might use with the ICAP protocol to scan traffic, such as HTTP.

Symantec's writeup is here. Rapid7 discovered these vulnerabilities and has a writeup on their site as well.

http://notafanboy.blogspot.com/2006/04/kevins-discovery-of-latest-vundo-crap.html

Not sure what to make of this.

Protection against the zero day attack has been a buzzword in anti-malware software marketing. Its an important thing to have. You can't run a business while waiting multiple days for virus definitions to be released covering the latest attack.

Symantec Mail Security for SMTP 5.0 is an new email gateway solution that attempts to provide such protection. It combines Brightmail antispam technology with Symantec antivirus and content filtering.

http://www.securitypipeline.com/185303122?CID=rssfeed_pl_scp

One key new feature is zero-day protection against threats, which uses information on emerging exploits gathered from Symantec’s network of more than 3 million e-mail addresses. When a suspicious e-mail arrives at the server, this feature can be configured to automatically strip off and quarantine the attachment until a virus definition is released, or simply delete the message, said Caccia.

Many vendors are attempting to enable zero- day threat protection by adding multiple virus engines in order to maximize detection, but that doesn’t offer the same level of protection as Symantec’s new offering, said Tom MacArthur, principal of Storbase, a solution provider in Waltham, Mass.

“Although you get some incremental benefit from the [former] approach, it’s always better if you can catch viruses early on,” MacArthur said.

Hopefully there will be a bakeoff between this product and those that use multiple engines. It will be interesting to hear more about this approach. I wonder if it is using technology similar to the Real Time Threat Protection Service they just bought when they purchased IMLogic.

Neither approach is going to get 100% of the viruses. They are each vulnerable to targeted attacks. Message Labs on the otherhand uses a heuristic scanner (Skeptic) in addition to three scan engines. Even targeted attacks will have a difficult time penetrating this defense.

http://www.networkworld.com/news/2006/040306-trend-micro-data-revealed.html

My favorite portion of the article " an employee, who is no longer with Trend Micro,".

A Trend Micro employee, puts company reports on his home computer. He doesn't run antivirus on his home computer. But he does run a P2P program on the computer. Then the employee goes for the idiot trifecta and gets infected with a virus. The virus shares out the entire hard drive, and the Trend Micro reports including company data are shared on Japan's most popular P2P network. Good work.

Do we even need to stop an think about the lessons to be learned here or are they so obvious its hard to miss...

F-Secure's blog reports on a use of rapid polymorphism in the latest bagel.

I notice in the inbound email today a bunch of email with the following characteristics:
Envelope From: root@localhost.localdomain (may be gathered from sender computer as well)
Display From: service@IRS.GOV
Subject: receive a tax refund of 63.80
Virus: LinkAliasPostcard (I believe that means its a link to exploit code)

F-Secure blog writer Sean gives it to Microsoft with both barrels for daring to do research on rootkits.

First he blasts them for doing research into how an attacker might build a better rootkit.

Next he blasts them because in 1993 someone did that with a floppy.

I cant believe that someone at an antivirus company is blasting someone else for doing research into the dark arts. If my antivirus company failed to do research in to the dark arts, they would be in constant reaction mode. I'd prefer that they my AV company think of ways to 0wn my computer and then protect me from it. Otherwise, they are just taking my money and sitting on their thumb waiting for an attack. The attack of course would allow them to sell more product.

F-Secure is a cutting edge AV company. I dont think they sit around waiting for the bad guys to innovate first. So I dont know why Sean at F-Secure would blast Microsoft for doing this research. He compares it to research into Nuclear Fission.

McAfee had a major false positive on Friday that effected a lot of applications.

I've see reports that effected aplications include:
Microsoft Excel 2000
Macromedia Flash Player 7
Oracle J-Initiator Client
Oracle Client Applications
Borland Database Engine Drivers
Sun Java Runtime Environment v2
ADP Payroll Applications
CA UniCenter Applications
ProComm Plus
And Many More...

McAfee is reporting the most common false positives are:
usersid.exe Windows XP file
imjpinst.exe Windows XP file
ecenter.exe Dell file
ntfstype.exe Utility
adobeupdatemanager.exe Adobe Update Manager
gtb2k1033.exe Google Toolbar Installer
43gcjvgahnu44.ths Macromedia Flash Player 7.0 r19
excel.exe Microsoft Excel
graph.exe Microsoft Excel

If the files are in quarantine, you can restore them after updating to a later virus definition. If you've let McAfee delete them, you need system restore or backups.

According to the SANS Internet Storm Center diary, there was a false positive in McAfee defs on Friday. They asked a couple of questions that I thought were worth a blog entry.

How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
We use Symantec Antivirus in our environment. It sends an email alert to the antivirus administrator about each virus alert. The antivirus administrator should be able to make a decision based on his/her experience, the directory and filename of the reported file, and the number of reports.

Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
The ability to rollback virus definitions is built into the management platform for Symantec (Symantec System Center). Failing that backdating would have to be done by hand or through a script run on each cleint.

The antivirus companies have us addicted to updates. We need the fix. We're Jonesing for the fix. Every once in a while the we get a bad fix that nearly takes us out. In the past month Kaspersky has killed Exchange servers running Sybari. Microsoft Antispyware has uninstalled Symantec antivirus. And now this. (I think I"m forgetting a smaller incident Sophos had). Something is rotten in the state of antivirus.

We've got some problems today caused by an install of Symantec Antivirus version 10. On some Windows 2000 systems after installing Symantec Antivirus 10, the SMS client agent would no longer run. Investigation showed that WMI was possibly corrupt. We're still looking into this problem. Thus far I haven't found a way to fix it.

F-Secure has a little flash video used to illustrate the difference in update speed between F-Secure and several competitors.

Bluecoat came out today to pitch their caching proxy with antivirus and url filtering. The antivirus piece is a single engine. You can pick from multiple vendors for an AV engine, but there will be only one. They are doing nothing that I can see to address the problem of zero day viruses and targeted viruses. Their comment is that multiple antivirus scan engines slow things down too much. That is not what scansafe.net's service claims. I think the Bluecoat solution would still let viruses through. Its probably better than what we have, but is the difference woth the change?

I just got off the phone with Symantec regarding their 64 bit Symantec Antivirus client.

The Symantec knowedge base article on the subject says that it cannot BE a parent server and as a client it cannot do VDTM. Silly me, that made me think that the 64 bit client could be managed. Support tells me they are still working on that and claimed that it would be like a SAV 9 server trying to manage a SAV 10 client. This is very aggrevating as we've been waiting for a SAV 10 server to be in production in order to deploy the x64 antivirus.

The other news from that call is that no patches are available for x64. I could not get them to commit to whether that software was vulnerable to the RAR vulnerability in 10.0.2 x86 architecture or not.

[update]: They just sent me a document on how to configure the SSC to managed x64 bit computers. Its just like I remembered. Disable vdtm. Schedule liveupdates direct to symantec.

I learned about this over in a thread over at BroadBandReports.com. It seems that if you go to the writeup for the new Macintosh worm Inqtana.a over at the Symantec (SARC) AVCenter you get a virus deteciton of OSX.Inqtana.A in that temporary internet file. This of course is a false positive.

I am using the 2/17 rev 18 virus definitions. 2/18 rev 5 is out and reportedly that solves the problem.

Message Labs January Intelligence Report is out. Its worth taking a look at.
http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/January_2006?CMP=EMC-MLI-REPORTS

Below is one graphic from the report. It shows that 7 vendors were able to stop Nyxem.e heuristically (Message Labs, ISS, Kaspersky, Panda, esafe, fortinet, mcafee, nod32). After that the minimum windows of vulnerability was 3.5 hours before the first non-heuristic virus detection was available. Symantec brought up the rear releasing an update 35 hours after the initial detections. 15 hours after the virus was in wide circulation.

This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about “scantime timeout” and when I checked I saw that no mail was being delivered anymore.

After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari’s scan jobs (once I could get into its admin gui) and updated kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.

While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.

Dave Aitel over at ImmunitySec has released exploit code for the Symantec RAR vulnerability which was announced in December. This code has been released only to customers of ImmunitySec only. This is a sign that it is possible to develop an exploit for this vulnerability. Not only that, if history is any indication, the super dupper bad guys probably already have it and have been using it in secret in targeted attacks.

[update] - I see this is old news, this actually occured on 2/6/2006, but Symantec Deepsight Alert Service only told me about it now.

Shameless self-promotion really irks me. For months now Duncan McAlynn has been getting the tech press to promote his forum at Boardfish.com. This trend continues in the Feb 2006 Information Security Magazine. Symantec pulled the plug on their bulletin board in December, and Boardfish apparently put out press releases about how it was the community replacement for Symantec's board. The two boards have something in common. No useful content. Symantec's board was an ok resource for people without support. It was an exercise in waiting weeks hoping the single Symantec employee on the board will respond. Rarely would anyone else both to help out. Boardfish on the other hand, people are more likely to be willing to help, but there just isn't that much traffic.

Boardfish promoted itself as the place for online Symantec antivirus discussion when it had only created a symantec forum moments earlier. It just urks me.

This reminds me of the Chernobyl virus in many ways. While the hysteria doesn't approach the level of that hystericane, we still have experts taking credit for their dire prediction not coming true.

"The importance of media attention from an awareness and educational standpoint has been a very good thing," said Marc Solomon, director of product management at security vendor management McAfee Inc. "It alerts users to what may have happened and the destruction that could have occurred."

It also sells product.

We've been seeing a number of w32/brepibot.gen in our inbound email since noon today.

McAfee has a writeup on this virus here. McAfee updated their definitions on January 30th noting:

There were several mass-spammings of new Brepibot variants recently. The 4685 DAT files contain updated detection to cover the new variants. One example of a spammed message is as follows:

The email's I've seen have the following characteristics:
Subjects:
Photo
Photo Approval Needed
Campus Life
Photo Approval Required
Campus Life Article
FWD:Photo
Photo Approval Deadline
photo approval needed
Photo Approval
Requesting Photo Approval

Attachment:
Photo and Article.exe

Source IPs:
62.49.4.123
86.135.27.88
83.38.83.48
213.132.238.109
68.186.147.67
157.253.66.7
82.38.170.158
86.128.48.255
84.92.83.135

In my email, I'm seeing email detected as malware.ae. It looks like the messages are heavy on the html content. But from the subject, source IP, and email addresses involved it does appear to be a false positive.

I've opened a support case with Message Labs and sent them a few samples to find out more.

Just saw a virus detected as nyxem.e in the inbound email. I believe nyxem is another name for the mywife family of viruses. Looks like this is a new varient

http://www.f-secure.com/v-descs/nyxem_e.shtml posted today

One of the things I neglected to mention in the previous post is that by exploiting these sites, wmf exploits are served up by sites you may trust and go to every day. They may be your friends site, or the site of a small business.

Getting infected via WMF exploit isn't a matter of visiting hacker or porn sites, its something that can happen very easily if you haven't patched.

One good thing about that call is that I had zero wait time. Either no one is calling support this week or Symantec has really improved the Gold level response time.

I called SAV support just now. You see Symantec’s security bulletin says that SAV 8 and 9 are not vulnerable to the RAR buffer overflow. http://www.symantec.com/avcenter/security/Content/2005.12.21b.html

However my vulnerability scanner says I am vulnerable because my dec2rar.dll file is the wrong version.
%ProgramFiles%\Common Files\Symantec Shared\Decomposers\dec2rar.dll Version is 3.2.10.16

So basically I wanted to make sure that 9 is always not vulnerable. That there is no way I could still be vulnerable by having an older version of this dll. Basically assure me that my vulnerability scan detection is a false positive.

It just blew his mind. Gold support just is not prepared for a call that is not answered by the knowledge base already. To his credit, he put me on hold to ask for some help. But I’m just not that confident in their final answer that 8 and 9 are not vulnerable to the rar vulnerability no matter what.

IMLogic is reporting a new IM worm using the wmf vulnerability. This is currently related as low.

If you've got IMLogic, you're cool. Otherwise you might want to wach access to 168.169.78.19 cause the file is live. Oh, I hear the file is detected with the Symantec bloodhound defs, but I didn't want to test that for myself.

I learned through Donna's Security Flash about some testing av-test.org has done to see which Antivirus vendors can detect wmf files.

See the results from January 1st in a PCMag Article. AVG didn't fare so well. Aren't they one of the free products that people alway push instead of the more established vendors?

Well shit. Suddenly that decision to purchase IMLogic (the product not the company) is not looking so good. Symantec has just purchased them.

When Symantec purchases something, its almost as bad as when Computer Associates purchases something. First I would suspect all development will go in the crapper while Symantec figures out what they bought and what they want to do with it. Good buy quarterly updates. Goodbye support for AIM Triton, Google Talk and AIM file transfers. I know you were on the roadmap, but the roadmap is now burned.

Next, support will suck. I suspect my support team will now be replaced slowly by the "Gold" level drones that Symantec hires.

Third, I wonder what will happen with the Sybari integration? Will it disappear now that two corporate giants the two companies.

Will my product completely disappear they way L0phtcrack has since the @stake purchase? Will it reappear later as Symantec IM Manager.

I really expected Webroot to be picked off (as Pestpatrol was). I didn't think about the possibility of IMLogic being bought.

IMLogic is still a better product that Facetime or Akonix. We'll have to hope for the best.

I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.

I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.

Sybari (or is that Microsoft) sent out a security bulleting relating to WMF viruses. They are calling it WMF/Exploit.b, Alias: Exploit-WMF trojan, Exploit.Win32.IMG-WMF.a, Troj/DownLdr-QB

But most importantly, they warn:

****PLEASE NOTE****
For Windows platforms, users must set the "ScanAllAttachments" registry value to 1 for this filetype to be detected.

Domino Users:
For Domino, the following can be done:
1. Open the "notes.ini" file.
2. Add the ".JPG" and ".WMF" extension to the "AntigenAveExts" parameter.
3. Save the file.
4. Recycle services.

I always thought it a little sketchy that by default Sybari scans specific file types only. Hopefully Exchange performance wont grind to a halt when this change is made.

Just wondering if you guys who rely on attachment blocking in email to protect you are now blocking all image files to protect against WMF exploits? Enjoy your plaintext email existance.

I'll continue to enjoy the protection provided by Message Labs. Good antivirus enables business.

SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994

The following quote is from the AVERT email. AFAIK this was sent to a public list and may be disseminated.

Advisory
AVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

Justification
Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

Read About It
Information about Exploit-WMF is located on VIL at: vil.nai.com/vil/content/v_125294.htm

I tried to post this at dinner, but my blackberry doesn't do javascript. Just remembered to post this now.

All day spam directed to my company with teh subject Re: peeper cre has had a file detected as Possible Malware PNG/Generic. I have no way of knowing if this is related to the WMF exploits or not.

The following is a comment by editor Pescatore in the SANS NewsBites email:

[Editor's Note (Pescatore): There has definitely been an increase in attacks via links in IM messages. Users who will no longer click on a link in an email for fear of phishing are still clicking on links in IM messages - and usually clicking within seconds of receipt, as compared to email messages that may sit in the users in-box for quite some time. Enterprises who have made the decision to allow public IM services to be used by employees need to make sure that IM filtering services are put in place, and employees warned that IM screen names are just as insecure as email addresses.]

More bad news on the Windows Meta File front.
According to the latest SANS ISC Diary, McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

How does McAfee know how many infections occured? With Symantec my clients aren't reporting anything to them. Does McAfee have all client infections reported to them (both consumer and corporate)?

If you've read any security sites over the past week, you know about the zero day Windows Meta File vulnerability.

Well it keeps getting worse. Kaspersky reports that there is now a MSN Messenger worm that sends a link to a wmf exploit file. When you follow the link the exploit runs a vbs script to install a bot. Have a nice day.

They also say it is possible to exploit this vulnerability even if shimgvw.dll has been removed from the system. They say that disabling and then removing the dll provides a large measure of protection, but dont think you are safe.

It keeps getting worse. Is anyone else waking up at night thinking about this?

According to this article at Blink.nu, the MIcrosoft Online Crash Analysis is capable of detecting some worms and viruses. Not only that the recommended account is to initiate a scan through Windows Live Safety Center. I think that is pretty sweet.

Indian software company Sanra has announced a new anti-malware solution called Rudra. Rudra is a no-update solution that sounds like it is a mix of HIPS and tripwire. It assumes a clean system at install and then monitors for changes.

It seems like the documentation does a good job of describing what it is not. It is not virus definition based or heuristic based. But when it describes what it is, it is less forthcoming. How does it determine that a new program is a threat or not? Sounds like its a whitelist only approach to the computer.

A SecurityPipeline article says this program will be available the second week of January.

I learned of this article over at the broadbandreports.com security forums. Holy_Father, the author of hacker defender a common windows rootkit speaks about his motivation. I cant vouch for its veracity, but then I say the same about every news.com article I link to as well. :)

"Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users."

"Yes, antivirus products will protect you against wildly spreading threats like destructive worms. But the real danger for users is from pointed attacks, where private tools are used"

Don't forget as Message Labs has pointed out, targeted attacks are becoming more common. Don't think it can't happen at your company. This rootkit author sees his rootkit as forcing antivirus companies to develop better products.

holy_father says that today's heuristic scanners and polymorphic scanners are crap. They are defeated by minor changes to the source code of the malware. I can see that working against bad heuristics like Symantec's bloodhound, but I would hope that Esafe's sandboxing approach would provide more of a challenge.

Thomas Claburn writes in Information Week (reprinted by Security Pipeline) about the struggle of antivirus companies to keep up with attacks. Its an interesting timeline to follow the creation of definitions for the Santy worm.

It sounds like at least at some antivirus firms they may finally be ready to move on from the broken virus definition update model, and move on toward proactive defenses.

Symantec has decided that netcat is a hack tool! What’s next? telnet? Netcat is in number 4 on insecure.org’s list of top security tools.

I’m trying to decide if this is worth spending time on. I’ve been able to get Ghost Mail by Robert Yale off of Symantec’s hit list in the past. But I think this might be a tougher argument. Its like the radmin detection. It’s a common enough tool, but if one person uses it for bad, oh no it must be designated for removal. I think Symantec is playing fast and loose with the "extended security threat" categories. Sooner or later everything will be listed there.

Its not as if Symantec makes this easy to ignore. First you add it to an ignore list for the realtime scan. Then for the scheduled scans. Then the real fun begins. You have to disable the startup quick scan (with 10.0.1.1000 and later this is an option in the SSC), and it looks like you may need to disable the defwatch scan according to this article http://tinyurl.com/cokvu Lastly, users may create their own scheduled scan. You can't exclude netcat from that, all you can do is program it to leave it alone.

Businesswire reports that the Seattle Times is deploying IMlogic IMManager

Their primary goals are:

• gain visibility into staff instant messaging (IM) use
  
• ensure compliance with internal and external use policies
  
• prevent cyber threats from entering its network
  

ZDnet repeats a Akonix press release reporting that IM Worms have been increasing in November as compared to October.

Its kind of satisfying that 36% of the worms target more than one network. Back when IM Worms first came out they were occuring on the Windows Messenger network first and the Microsoft bashers were lining up to take their swings. Those critics fell strangely silent after more worms targeted the AIM network which is more widely used in the U.S.

Do you trust reports from security vendors? They profit by selling software to protect against X. So are they unbiased when they say X is on the rise (thus you need our product).

I wonder if I could have bet on this in Vegas? What's this the third or fourth time in 6 months Trend has published writeups on a virus and said that it exploits a recently patched windows vulnerability only to later retract it.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4781 Trend Micro has retracted last week’s claim to have discovered a Trojan that could exploit vulnerabilities in the Windows graphics engine.

Some people are reporting false positives in bloodhound.exploit.52. This is Symantec's heuristic detection for the flash vulnerability. Over at the ISC one person has said this has only been an issue for them with people running Flash 7.0.19. If you haven't upgraded this is probably the version you are running.

At least one person reporting the problem is using rapid release versions of the virus definitions 11/10 rev 39 and 11/22 with unknown revision number. So this means if they've submitted the suspect files to Symantec this false positive could get fixed before the virus defs are widely deployed.

Symantec reponded to my virus submission, reporting that they are calling it spybot.worm. And the virus defs are in the latest rapid release defs. The response took long enough that I think it wasn't an autoreply. If its the autoreply, I know its not something new. I tried the rapid release defs on my own computer and then set xdbdown to download rapid release defs.

I also downloaded the file (img0099.com) and ran it on a vmware machine. Of course good viruses know when they are in a virtual environment and dont do everything. I also didn't set up a fake network connection, so I dont know what network downloads it may have tried. I'm tempted to try that, but I dont want to hose my real computer.

It did a lot of registry lookups. The main thing is that it created is c:\winnt\system32\express.exe and starting that with HKCU run and HKLM run/runservice. That file is also detected by the rapid release defs. The file is set as a hidden and system file so you may need to go into dos and run attrib -h -s express.exe (in the system32 directory).

The rapid release virus definitions I am using from Symantec is 10/26/2005 rev25

I had some users passing around an IM virus today. I'm still trying to get a handle on what virus it was to make cleaning it easier.

The users sent "YAY!! http;//home.earthlink.net/~lzingelmann/IMG0099.com" to each other. I downloaded img0099.com and submitted it to symantec (haven't heard back yet) as well as virus total. Virustotal.com saw a few heuristic detections and one detection as a kelvir.

I see over at Harry's blog that there is a new IM virus out today called virkel. That's really not good. It does more than attempt to spread. It tries to download other updates and act as a bot. I tried to be the nice guy and let the user take the laptop home with them instead of taking it from them (with the caution that they not log into aim). What a bad choice that was.

I'm still waiting on a useful IM security writeup. I may have to run this in a vm environment just to see what it does if the antivirus industry doesn't geete off their collective butts.

The funny part about this is some of the people who got infected were part of my Facetime evaluation. The veresion of Facetime that I am running did nothing to help this other than create a log trail for later cleanup. :(

F-Secure posted in their blog on saturday abouta new massmailer doombot.a and doombot.b. I'm seeing a little bit of doombot.b this morning in inbound email..

I was just on the phone with an IM Security vendor support number. I asked how to set up the antivirus scanning. For my trouble, I got a lecture on the dangers of allowing file transfer via IM. No kidding, thats why I want the IM Security software. If I merely wanted to disable all the features of the IM product, I wouldn't need your software!

I was wondering why Symantec Antivirus Corporate Edition version 10 was showing 400 files scanned during a defwatch scan. This isn't the scheduled scan. In the past, a defwatch scan is a scan of the files in quarantine and the scan has not shown up in the Scan History.

I found a KB article That explains this:

After you update virus definitions, a Defwatch scan runs. In the Scan Histories view, the "Total files" column the Defwatch scan entry shows a number of files that is more than the number of files in quarantine.

Solution:
This behavior is expected. In Symantec AntiVirus Corporate Edition 9.x or earlier, a Defwatch scan only scans the files that are in quarantine. In Symantec AntiVirus 10.x, the Defwatch scan also runs a Quick Scan. The Quick Scan scans any program files that are loaded into memory and common virus and security risk loading points.

Another nice improvement in SAV 10.

A lot of people are coming to this site looking for help for Symantec Antivirus Backdoor.Graybird detections on mc21.tmp or mc22.tmp. My post on my experience last Friday has been picked up by Google. Unfortunately they are linking to my main page instead of the article itself and that post is about to fall off the front page. (To be fair, blogsearch.google.com does have the correct link).

I have continued to see a few new detections of this at work. I need to check if those systems are up-to-date on their virus definitions. If they do have defs where this false positive is supposedly fixed, then there is still an issue.

By popular demand, I'm posting the email Symantec sent out last week. It is my belief that this information is considered public and not under any NDA. In other words Symantec please do not sue.

-----Original Message-----
> From: symalert@symantec.com [mailto:symalert@symantec.com]
> Sent: Friday, September 16, 2005 4:49 PM
> To: Me
> Subject: Unscheduled LiveUpdate definitions to be published in response to a FP
>
>
>
> Symantec Security Response will post LiveUpdate virus definitions today, September 16, 2005.
>
> This posting is to correct a false positive with Backdoor.Graybird detections.
>
> An additional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.
>
>
> ----------
> For additional information, visit our website at
> http://securityresponse.symantec.com