Recently in Antivirus Category

I noticed a bunch of computers reporting install_flash_player.exe as a Trojan Horse this morning. My first stop was the Symantec Forum where a bunch of users were already discussing this.

Since it appeared to be a false positive in an older install file for Adobe Flash, I set out to see which version of Flash was getting hit. Adobe has a archive of Flash players. I downloaded a zip with every version of Flash 10 and unzipped it to my hard drive. I got a detection on flashplayer10r22_87_win.exe. Once that was quarantined the easiest thing to do was go into my local quarantine, right-click and submit to Symantec.

A Symantec support employee points out the KB for false positives and the virus submission website https://submit.symantec.com/websubmit/gold.cgi. To use that I would have had to disable real time protection, and unquarantine the file. So it was easier to submit from within Symantec. I'm running 1/27 r49 definitions.

As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.

If you aren't on top of this, you should be subscribed to Symantec emails here. I'd also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.

Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.

So far this has caused three problems that I care about.

1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the "old definition" group. The defined action was run live update once. That wasn't too big a problem.

2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec's liveupdate servers when on the Internet. Its important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You'll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem

3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we're coming up fast on January 14th, I've disabled the notification. Of course any computer that isn't on our network in the next couple of days wont get the new configuration.

Hopefully Symantec will get this issue resolved soon. Not sure why they couldn't be ready to patch all SEPM builds at once. Why is MR3 so favored?

For many years Microsoft has had an exclusion list of files and folder that antivirus should not scan. I've seen similar knowledgebase articles from antivirus venders. For some reason this became blogworthy over at TrendMicro. That has set off the usual echo chamber of anti-Microsoft handwringing. (wait a second an echo chamber of handwringing? exactly how loud is that? Stop mixing metaphors).

A lot of people have the knee-jerk reaction "oh no the virus writers will start putting their viruses there." The TrendMicro blog entry isn't as worried about the exclusions as he is about the public knowledge of the exclusions. "Now, although it actually makes sense to stop checking ...we are concerned by the fact that this was released publicly." I laughed out loud when I read that. Security through obscurity is no security at all. If you don't tell antivirus administrators what to exclude from scanning just who are you going to be sharing this mystic secret with?

All the articles I've read imply that the only reason to make antivirus exclusions is performance. Exclusions can also be necessary to allow a product to work correctly. Data integrity is a valid reason for antivirus exclusion, I think.

Unlike what some people think, exclusions aren't just for the performance of scheduled scans. On the contrary they more needed for real-time scan exclusion. Lots of files created in a folder and deleted, etc. That is a real time scan situation.

Microsoft's KB is clearly aimed at system administrators not home users, in this writers opinion. Excluding a file from scanning is not a white flag of surrender. Endpoint security suites may still have IDS, proactive and firewall components. The malware will need to beat the antivirus to get on the system in the first place.

I guess I got my hand wringing out of the way on this one five years ago. Strangely TrendMicro did too. Their own knowledgebase has instructions with some recommended exclusions to solve problems with shaddowcopy and sql

Kaspersky is detecting gosearch.gif as Trojan.JS.ramif.a.

gosearch.gif is a standard magnifying glass icon used in Sharepoint as a search button.

I submitted this to Kaspersky and they concur its a false positive, so hopefully updated defs will be out shortly.

Last night I started upgrading Symantec Endpoint Protection 11.0.4 to 11.0.5. I've been doing these upgrades since 7.0.1 and they rarely go smoothly this one did not disappoint. As with most of these debacles, the development server upgraded without an issue.

The production server looked like it installed cleanly until I went to start the SEPM service after the install. The service exited immediately after installing. I searched symantec.com/connect and symantec.com/techsupp (support forums and knowledgebase). I got some logs to check and things to verify, I did a repair install multiple times. Ultimately I didn't see a solution.

Initiated the disaster recovery procedures documented in the knowledgebase (and in a corporate document I wrote). First I made sure that my backed up keys and passwords were still good. Then I uninstalled SEPM, and reinstalled it. As it was approaching 3:30 AM I decided to let the database restore run while I slept.

The next day I continued the DR procedures and found the GUI wouldn't allow me to use what I thought the database password was. I unnecessarily went down the road to change the password through ODBC. It turned out I was using the wrong password. (which happened to use characters the GUI would not allow)

Once the database password was found, I had a new problem. I was restoring from a backup of the database. Of course the database has an old schema. I tried a couple things to get it to upgarde. I believe it was a upgrade.cmd file that did the trick.

At that point I was able to log into SEPM, I verified that my configuration was still there and my clients were able to report in.

The (hopefully) last little piece of this stuggle was finding 11.0.5 missing under client install packages. I believe the database restore was what caused that to go missing. I found instructions to manually import.

Symantec Endpoint Protection 11.0.5 is on Fileconnect. Release notes are posted here.

"Symantec Security Response will post another set of LiveUpdate virus definitions today, 09/16/2009 at approximately 3PM Pacific. This posting is in response to a false positive (FP) on the 'Dameware Remote Administration' application. This FP was first released in definitions with version 20090915 rev.038 (Sequence 100395) IU. The detection has been corrected starting 20090916 rev.025 (Sequence 100419)."

While trying to eval a HTTP security solution I've been trolling for viruses by browsing Google Top Trends.

The vender advertizeing their zero day protection detects the virus even when virustotal has only one scanner detecting (and not one used by this vender). So they are showing off their zero day protection rather well. The problem I have is the incumbent protection which would not have detected the virus with AV was able to block the site completely with URL filtering.

I normally don't think too much of URL filtering as protection anymore. Malware can be on legitimate sites. New sites that aren't catagorized come online. But for my extremely small sample set, its actually providing the same level of protection.

The vulnerability scanner is finding a bunch of systems with %windir%\system32\atl71.dll version 7.10.5057.0 and the registry key HKLM\Software\Microsoft\VisualStudio\7.1. This indicates that the system may be MS09-035 vulnerable. The patched version of atl71.dll is 7.10.6101.0.

I also have some systems that dont have that registry key but have atl71.dll.

I decided to do some testing to determine how the file is getting on the computer. We haven't rolled out Visual Studio .Net 2003, but clearly some application is putting it there.
A clean load of XPsp3 has no atl71.dll is present on the system. However after installing Symantec Endpoint Protection 11, I find that I have atl71.dll. This test system does not have the registry key.

So it appears that Symantec is using Microsoft's ATL library and distributing a vulnerable version of the DLL.

I couldn't find anything about this at the Symantec forums or in the knowledgebase. I may have to open a support ticket. I'm not sure I'm prepared for that kind of crap shoot today.

Symantec now has a knowledgebase article available. See comments on this post.
Symantec reports they are not actually vulnerable. A future version of SEP will have a updated file to avoid the detection by vulnerability scanner.

iDefense has seen a Flash zero day exploit within a PDF file during a recent zero day attack investigation.

Its hard to believe that at one point in time PDF files were considered safe.

AVComparatives has posted a review of corporate products at http://www.av-comparatives.org/comparativesreviews/corporate-reviews. This test includes AVIRA, ESET, GDATA, Kaspersky, Sophos, Symantec and Trustport. No mention of McAfee or Trend Micro who I believe would both be in the top three deployed corporate endpoint protection solutions.

The report includes a detailed table comparing the available features of the products. It does not focus on detection rates for the most part. It does report on SPAM detection rates. Personally I think SPAM filtering belongs at the enterprise gateway not at the desktop.

As a Symantec Endpoint Protection admin, I loved one of the conclusions of the report, "The Symantec suite is, by far, the most mature and professional product tested by us."

Symantec has released SEP 11 MR4 MP2.

Release notes here.

Instructions on migrating are here.

The incremental update files to update clients aren't posted to the downloads section of the support KB as of this posting. However, I did find them over on the ftp site.. I didn't see an update file to get from MR2 MP1 to MP4 MP2, so I had to update to MR4 then update again.

There is a fix in this version for a case I've had open for over five months. SMC.exe CPU utilization when no one is logged in, particularly on virtual servers.

This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.

Seems to be a false positive.

Virustotal shows the following:

UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan's entry in the comments.

My problem was compounded a bit becasue the BlueCoat cached the "infected" status, so I needed to clear the cache of that, before csshover.htc could be served.

Since upgrading from SEP11 MR2 to MR4, my virus alert email to admins no longer works.

As a side note, SEP11 has never allowed me to include the path and file name in the virus notifications. They did allow that in SAV10 and earlier. This is a big step back.

Before the upgrade, the email was sent as system@servername. I believe my mailserver was helpfully making the servername fully qualified. The mail had no issues.

Since upgrading, the notifications are no longer getting through. According to the Symantec Knowledgebase, they did this on purpose.

As of SEP 11.0 Maintenance Release 3 (MR 3), a ".com" suffix has been addred (sic) to the "From:" address used by SEPM (SYSTEM@computer_name.com) which should help reduce rejections by the mail server.

Help reduce rejections? Help reduce rejections! How does sending mail as system@servername.com help? That is guaranteed to be rejected by anyone who verifies the sender is a valid domain name.

I've opened a case with support asking for them to fix this.

Symantec does not allow you to configure your own sender address in SEP11. They suggest you lower the security posture of your mail server by accepting email regardless of how invalid the From address is. Validating the envelope from domain is a common, easy antispam technique. I dont want to change it.

Looks like I need to add %Server_Name%.com to my internal DNS as a temporary workaround.

Another "improvement" in MR4.

UPDATE 2/17/09
See the comments, there is a way to do this afterall. I've asked Symantec to update the KB I referenced.

I upgraded my production Symantec Endpoint Protection 11 environment from Maintenance Release 2 to Maintenance Release (MR) 4. SEP 11 MR4 MP1 has been announced but it wasn't available on Fileconnect yet. I also didn't want to postpone my upgrade and install MR4 MP1 in the test environment.

My upgrade to MR4 was smooth in the test environment. Or course the production upgrade was less than smooth.

I stopped the SEPM service as directed in the upgrade instructions, but the micro def builder processes continued. This locked files, and the upgrade didn't handle that condition correctly (force retry or replace files on reboot). The SEPM console couldn't open after the upgrade and the recommended fix is to Repair the install in Add/Remove Programs.

After Repairing the install, I was able to log in successfully to SEPM but my clients were no longer checking in.

After fiddling around a bit, we found that the port used by clients had been changed. If you do an upgrade it keeps the port on 80. But the Repair caused the port to be changed to something else. So all my existing clients were trying to connect on a port that was no longer being listed to.

Symantec has a knowledgebase article on changing the port, so I followed those instructions to change the listening port back to 80.

So a couple things to watch out for
1) kill the def builder processes when performing a upgrade.
2) the Repair option is potentially a problem
3) if after an upgrade your client check in, go into IIS and see what port you're listening on. If its the wrong port, check the Symantec KB for exact instructions on fixing.

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I'm not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.

Opening Remarks
by Bruce Potter

People are getting owned a lot.
Trends

• Increased success in getting past our defenses


• Increasingly malicious motivations. The bad guys aren't after web defacements


• In spite of the above, we haven't changed our methods. Its a lot of the same


• Spear phishing and drive-bys are unabated.

What we have is a Maginot line...in depth

Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren't just the risky underbelly of the web. It was every category of website. I don't think that is surprising to anyone who has paid attention to security.

These findings were published last year in in USENIX.

The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.

So What do you do?
NAC? Most people don't have that deployed even if they've bought it.
Firewall Internally?
Token authentication?
Change jobs?

Digging ourselves out
As with most security talks and papers I felt like a solution wasn't really there. Fixing fundamental problems. I'm not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn't always have notes.

Open Vulture - Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O'Toole and Matt David

I didn't take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.

Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you'll have problems with PVC tubing not being rated for the PSI.

The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.

The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.

Under U.S. law they felt they could not send out a "uninstall" command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.

No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.

Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.

Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.

I found the talk interesting. When you're doing manual static analysis of files, this could come in handy.

Decoding the Smartkey
by Shane Lawson

Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.

Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

SEP11 MR4 release notes have been posted here.

I suspect this is now available on the platinum site. I've been told by our sales guy that we should have access to that, but all I can ever get to is fileconnect. Rumor is January 6th for Fileconnect. I'm more interested in the msp update files than the full CD for a full SEPM install. I dont see those on the KB or via FTP right now.

Here's one fix that I'm waiting for.

Wireless connections at 104Mb/second do not register with Location Awareness as Wireless connections.
Fix ID: 1441489
Symptom: Auto Location Awareness does not work when using 104Mbps wireless network.
Solution: Added 130Mbps/117Mbps to the list that detects when the wireless speed is not stable.

I think I have more issues with smc.exe than rtvscan.exe. However every lowered amount of CPU helps.
Constant 5% Rtvscan CPU usage.
Fix ID: 1389006
Symptom: Constant 5% Rtvscan CPU usage seen from Process Explorer or Task Manager.
Solution: Changed to cache the state of Auto-Protect ,thus reducing excessive calls which gather state information. The state is now updated once on startup, on change notification from Auto-Protect, and occasionally on the main timer, eliminating this issue.

There is a local denial of service vulnerability in the SPBBCDRV.SYS Device Driver.

http://securityresponse.symantec.com/avcenter/security/Content/2008.12.12.html

Symantec Endpoint Protection is not effected.

Symantec posted some performance numbers touting the improvement of SEP11 M3 over MR2 and even SAV 10.

The slides are posted here.

I rescued an old comment from Akismet (the spam filter I'm using on the blog) because it asked a interesting question. How can Symantec's acquisition of MessageLabs improve their desktop antivirus.

My first reaction to this is that MessageLabs Antivirus can't be duplicated at the desktop. They use multiple antivirus engines in addition to their own Skeptic engine - a collection of heuristic detections. Multiple scan engines work on gateway servers, and Microsoft Antigen/Forefront/whatever uses multiple engines on Sharepoint. But at the desktop performance is needed. Also don't quote me on this, but I thought I'd read that the Skeptic database has a huge ruleset. That also doesn't lend itself well to desktop performance.

Multiple antivirus vendors are now looking at implementing antivirus in the cloud. In this model, new/unknown files are sent to the cloud for analysis. Skeptic would fit in well in Symantec's implementation of that model.

My Virus Alert folder is overflowing this morning with alerts.

One of the users got Joe-jobbed on a virus/spam run. It looks to be a German language attempt to get people to open a virus by making them think they have an unpaid bill.

One of the Subject lines is Abrechnung. Although since i"m seeing bounces the subject line is usually a delivery failure message.

AV-Comparatives has released a test report comparing antivirus performance during boot, file copy and file compression.

To access the report, go to av-comparatives.org, click on Comparatives, and scroll down to the Performance Test report.

I'm always disappointed that the tests focus on consumer products (although Sophos is included. I'm more interested in Symantec Endpoint Protection than Symantec Antivirus 2009. I care more about McAfee Total Protection Suite than McAfee Antivirus.

Occasionally when I try to open EFS encrypted text files on my Windows XP PC, the files are not decrypted and appear to be corrupt. If I reboot, I'm able to access the files again. These occurrences began when I installed Symantec Endpoint Protection 11 MR2.

A review of the Symantec Forums and Knowledgebase isn't particularly helpful. MR4 is rumored to be coming out in December, maybe that will help. Fortunately the problem is rare. I haven't had a user reported yet, though I've seen this a couple of times myself.

Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I've been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.

I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn't agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.

People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don't believe in tamper protection. Proactive Threat Protection shouldn't be installed on servers either. I did turn off location awareness which I wasn't using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.

Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.

Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I've gathered logs for them, but there hasn't been a resolution yet.

Symantec Virus Definitions
- --------------------------
LiveUpdate Plus: 11/03/08 v.025
LiveUpdate Daily: 11/03/08 v.025
LiveUpdate Weekly: 11/05/08
Intelligent Updater: 11/03/08 v.021

Summary
- -------
W32.Kernelbot.A is a worm that spreads by exploiting the MS08-067 vulnerability
and through file sharing networks. It may also download files on to the compromised computer.

References
- ----------
Sophos W32.Kernelbot.A
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99

Symantec Internet Security 2009 detected nearly 10 times the exploits when compared to other security suites in a recent Secunia test.

Full results here.

Secunia's related blog post.

I can't wait for the vendors and bloggers to kick up a dust storm about why Secunia's methodology, assumptions and testing are wrong. This being the Internet that should be starting shortly. :)

At least Secunia can't be attacked as easily as Consumer Reports.

The later point is that even the best detected less than 25%. So stay patched, and dont get socially engineered into manually installing the malware.

Symantec buys MessageLabs the leader in email security. Press release is here.

I was just talking to my old sales rep last week about ML on the market. It seemed to me that MessageLabs sold its ISP Star to make it easier to sell itself.

There is some good things here. Both Symantec and MessageLabs seem to have top notch anti-virus groups. I hope they dont feel they can eliminate redundancy.

I am concerned based on my past experience when Symantec bought IM Logic. Support immediately dropped from the excellent level that IM Logic maintained to the hit or miss quality of Symantec. I also felt that development slowed significantly for a time.

When Microsoft bought Sybari they added their own antivirus engine and eventually dropped some of the available engines in Antigen(I think I'm remembering that right). I'm not actually sure who MessageLabs is using right now, but I'm sure Symantec AV (crappy as it is) will be in the mix shortly. MessageLabs support has told me in the past which antivirus engines they use in email but they don't advertise it because they want to be able to make changes to have the most effective defenses.

Here is hoping that the changes will be positive. For the past 5 plus years that I've used MessageLabs nothing beats them for email security.

Symantec released a SyKnApps update last week for Symantec Endpoint Protection 11. The update notice I received didn't say much, just that "The new revision of
SyKnApps improves the performance and overall functionality of TruScan." The email also said the update was available through liveupdate.

I had been wondering if the update would reach SEP clients who get their updates from a corporate SEPM server. By comparing file versions, I found that it appeared my internal clients did get c:\documents and settings\all users\application data\symantec\syknapps\syknapps.dll updated.

A Symantec KnowledgeBase article confirms this belief. It specifically says running liveupdate on SEPM will update the clients. It also confirms that this update fixes the cosmetic bug where the SEP client GUI displays the Proactive Threat definitions as July 30th.

According to a Symantec Knowledge Base article and complaining posters in the Symantec Forums, Symantec Endpoint Protection (SEP) 11 does not work with Google Chrome when the Application and Device portion of SEP is installed.

One workaround is to disable Chrome sandboxing. I'd tend to recommend that over disabling Application and Device Control in SEP. If any of my users were found to be disabling portions of SEP, they would be in violation of company policy regarding circumventing security software.

I used to have problems like this with our old personal firewall. To control what applications can run, the process has to be wrapped up. Some applications dont like that and crash. In the old personal firewall it was as simple as editing a "ignore" line into the configuration file. In SEP, I get the feeling we have to wait for a maintenance patch.

Websense blogged about this a couple days ago and I just saw it in our email today.

Here's the info on the messages that our email scanner stopped heuristically.

Subject: Fedex Tracking N_
File WD6128922.exe

Late last week I began noticing an error in the Application event logs on some of my SEP11 systems

Event ID 13: "LiveUpdate returned a non-critical error. Available content updates may have failed to install."

Over at Symantec Forums people report receiving a couple different answers from tech support. Looks like the definitive answer is:

The Event ID 13 error is due to a defective patch that went out via LU on August 4, 2008. It was pulled from LU on the 7th, but machines that already downloaded the patch will display these symptoms.

Besides cluttering logs, these errors are not detrimental to system performance or security.

When the new patch to replace the defective one goes out sometime next week, the errors will stop happening.

I'm assuming the fix they are referring to is the Symantec Eraser update scheduled for Monday.

Symantec expects to post its quarterly update to the Eraser engine in the certified definitions of Monday, August 11th, US Pacific Time. This release includes internal enhancements and does not address any specific customer issues seen in the field. Eraser file versions will be 2008-2.0.125. This update will cause the size of the xdb file to temporarily increase.

From a thread at the Symantec Forums, it looks like Symantec has left out a critical component of admin virus alerts.

I like to receive emailed virus alerts when clients computers detect a virus. Waiting for me to open SEPM and look in the console or waiting for the user to mention it is not an option. While SEP11 has email virus alerts functionality, it cannot be customized. Their email is not as useful as it should be because it does not include the file path or filename.

If anyone knows of a way to do this let me know.

Symantec has reported a false positive:

The second set of July 23, 2008 LiveUpdate posting will correct a false
positive detection on DWRCS.EXE from DameWare Development LLC. The Affected
file is incorrectly detected as Infostealer.Gampass. This FP was first
introduced in RapidRelease definitions build number 83841 (version
07/22/2008 revision 53) and in the 07/23/2008 revision 9 LiveUpdate and
Intelligent Updater definitions. It was corrected in RapidRelease
definitions build number 83882 (version 07/23/2008 revision 37).

Symantec Endpoint Protection Manager Console (SEP11) allows authentication through local accounts, Active Directory and SecurID. SecurID is a two factor authentication system which combines a user known PIN and a token generated 6 digit code for authentication. The token is generated every 60 seconds.

Because the SecurID passcode is always changing imagine my surprise when I attempted to log into SEPM and I received an error that my password has expired. After checking the KB and the Symantec forums and not finding an answer, I opened a case with support. Support tells me that this is a known issue that should be fixed in a future maintenance release.

For now I'm either going to have to configure AD authentication for people requiring access to the SEPM console (such as admins and helpdesk). If I continue with SecurID accounts I'll have to recreate their accounts every 90 days.

I think its a really good idea to use AD or SecurID for authentication so that each administrator doesn't end up with 50 accounts with bad passwords that are never changed. It would be preferable however if the authentiction actually worked correctly.

No conclusions can be drawn from this single instance comparison. I called both Sophos and Symantec tech support to ask them a simple question. Are there any known interoperability issues between your product (SEP11, and Sophos AV/AF) and PGP. We have seen conflicts in the past between some personal firewall clients and PGP and we'd like to know of any issues.

First I checked the knowledge base articles for each vendor. A search for 'PGP' returned nothing on each website.

Next a call to Sophos. I got the phone number off their public website. This was not a support line for evaluation customers. I called, went through the phone menu and was talking to tech support after maybe a minute of hold time. He knew there was a potential issue and read me a KB article from their internal system. There is an issue when PGP is installed after Sophos. Couldn't expect much more, although I dont see why that article wasn't in the Public KB.

Next a call to Symantec. It took 3 minutes to get to the call pre-screener. This person couldn't find my contact information...asking me if I've called before. Yeah for the past 8 years. 9 minutes into the call I finally escape the pre-screen and get into the real phone queue. The recording says the customer waiting the longest has been on hold for 7 minutes. That is incredible. I was expecting to be on hold for 2 hours, since I called in the afternoon. In about 5 more minutes, I talked to the tech who was not aware of any PGP issues. I pointed out that PGP interoperability problems would occur most when managing what applications can run, which is off by default. He checked with other people and no one was aware of any issues.

This difference in support on this one call as not as great as I expected. I could live with either one. I just need to get my Symantec account straightened out so I don't have to fight with the prescreener so much.

I'm seeing some new virus detections on the SMTP layer.

Filename : vertrag.exe (vertrag is contract in German)
Detected as: New Malware.co

Subjects: Mietvertrag (Mietvertrag is German for lease according to babelfish.)
Abbuchungsvertrag (Deduction contract in German)
Tilgungsvertrag (Repayment contract in German)

As I've posted previously, currently I'm doing an eval with Sophos to potentially replace our Symantec Antivirus with Sophos Antivirus, HIPs and Firewall. Sophos provides support for a wide variety of Operating Systems.

I haven't crossed that bridge yet, I did talk to my pre-sales support (hi Chris) about the issues with 1) convincing Linux, Solaris and Mac users to follow the company policy and install antivirus and 2) the new burden with these people now thinking you provide support for anything that goes wrong with their system because it must be the AVs fault.

Mark Harris Director of SophosLabs has written a blog entry covering some of the same type of information. He announces Sophos Anti-Virus for UNIX 7.0 beta and explains why Antivirus for Unix is even necessary.

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating "sales lead" to themselves). Currently we're using Symantec Antivirus 10. I'm looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I've been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I've also considered McAfee Total Protection because it has the McAfee HIPS technology.

Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.

When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.

1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.

Sophos' answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.

This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn't allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.

2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I'll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).

I haven't run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.

I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.

3. The Sophos install creates a local administrator account. Now I'm sure it has a very strong password, but I'm just not comfortable with my software creating a local admin account. Symantec didn't do that. McAfee didn't do that.

I've been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn't matter if the rest of the eval is perfect, if Sophos can't answer to my satisfaction why they are doing things this way and why it isn't a problem, I can't do with this product.

Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.

My sales engineer is out most of next week. I'm out Monday. I'll post a followup when I get some answers back.

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.

The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.

The malware we received doesn't seem to be the same file the ISC is reporting.

This morning MessageLabs blocked a suspicious message to a recipient in our finance department.

Subject: Re:tax contract for , INC
The message contained a Word document attachment named incomplete_contract.doc. The word doc contained a embedded exe named MicrosoftWordhasencounteredanerrorandneedstoclose.Pleasedoubleclicktheicontoreloadmsword.exe

These are probably the same people who tried last week with subject lines "Re : Tax Refund for %firstname% %lastname% with a scr attachment.

Going through my email I see a similar detection back in February Complaint Filled against , (Case id: #3DB0A4) again with a scr attachment.

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.

Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.

This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.

It looks like I may have to move up my implementation of Adobe Reader 8.2.1

Brian Krebs' writeup on this reports that according to iDefense this was spreading through banner ads. http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

Perhaps the following explains the trouble I had with SEP11 and Vista.
From a email sent to platinum customers:

Update: Eraser Engine update - 01/18/07

Symantec has released an Eraser Engine update today, January 18th US Pacific Time. This update replaces a planned AV Engine update that was announced in a previous Platinum Bulletin. It addresses an issue seen by some customers using Symantec Endpoint Protection 11 on Windows Vista which in rare circumstances could cause the system to become unstable. Following this update, the AV Engine and Eraser will have the following versions:

naveng32.dll: 71.4.0.23
ccEraser.dll: 107.4.1.2

I wrote last week how my Vista tablet cratered shortly after I installed Symantec Endpoint Protection 11. I've rebuilt that computer, and decided not to do any more testing with SEP for a while. If I didn't have Symantec coming in sometime soon for a NAC demo I'd be evaling McAfee Total Protection Enterprise.

Today I came in after a few days off and found that my desktop is out of hard drive space. After looking around I found 18.6 GB of files in c:\program files\common files\Symantec shared\. Most of these files were in directories named *.tmp. Now I know this sort of thing happened in previous version of Symantec as well, but it hadn't happened to me. and it hadn't happened within weeks of installation.

http://www.us-cert.gov/current/index.html#microsoft_access_database_file_attachment

US-CERT is aware of a stack buffer overflow vulnerability in the way that Microsoft Access handles specially crafted database files. Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.

US-CERT is aware of active exploitation using malicious Microsoft Access databases.

To help protect against this type of attack, US-CERT recommends the following:

Do not open attachments from unsolicited email messages
Block high-risk file attachments at email gateways

Ok, so the title is an inside joke.

On Monday I began having some issues on my Vista Tablet.

• The computer isn't able to obtain an IP address from the DHCP server


• An error: error 56 the cisco systems, inc vpn service has not been started


• Unable to uninstall SEP11


• Unable to perform a rollback to a previous snapshot


• Unable to open tcp/ip properties because supposedly another dialog was already open
  

I'm blaming Symantec Endpoint Protection 11. That was the last change to the system.

I noticed today that Liveupdate on my home computer wasn't working. The definitions were at November 21, 2007. When I attempted to run liveupdate manually I received an error " LU1825: LiveUpdate could not understand how to install this update. You may need to get the latest version of LiveUpdate before you can install this update."

I'd previously been following threads about this problem over at Broadband Reports and at the Symantec Forums.

I followed the advice here to either reboot or restart the Symantec Antivirus service. I restarted the SAV service and immediately liveupdate worked. I've had this problem on SAVCE 10.1.6 and 10.0.1, but I've seen postings from users of Symantec AV consumer products as well.

Information Security Mag has an article by Ed Skoudis and Matt Carpenter in which they do a bake off between several endpoint protection products.

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1280028_idx1,00.html
(not sure if non-subscribers can view that or not. Its free to sign up or try bugmenot).

This will make all the Symantec bashers angry, but it actually comes out rather well. Looks like it will be worth it to learn the new platform that is SEP and upgrade.

Points of interest to me

• ISS not doing so well. They dont have their own AV so the AV piece and the rest seem cobbled together


• Third Brigade not yet well integrated with Trend


• McAfee surprisingly not doing well. I would have expected McAfee HIPS (Entercept) to have crushed the malware tests. It seemed that only the buffer overflow protection was tested. Was HIPS not on by default? I'm pretty sure it is part of Total Protection Enterprise


• Symantec doing rather well.


• Sophos scanning on read only by default

The article writers feel that Endpoint Protection suites are still new and have some maturing to do.

Last week, I received an email from Trend Micro bashing Symantec Endpoint Protection 11. This seemed like kind of a desperate move. If Trend is truly a top tier AV company why do they need to take shots at Symantec?

There’s something you need to know about Symantec Endpoint Security. Going to version 11.0 requires at least one reboot, frequently two. If you are on version 9.0 or older, Symantec recommends a full rip and replace. Now that's a cumbersome migration!

I guess Trend feels that Symantec AV admins are rather frustrated with the product and they are trying to tap into that.

Here's a link to a Symantec Product Manager's take on the Trend email.

Symantec's blog entry about the Adobe PDF exploits reported that the attacks were targeted attacks on a handful of specific organizations. Their writeup on the trojan.pidief.a still has a low treat assessment

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low

It looks to me like these malicious pdfs are being spammed more widely right now. We've received files detected as exploit-pdf.shell.

Subject Lines / File names
Personal Credit Points / report.pdf
Personal Financial Statement / report.pdf
Statement of retained earnings / dept.2007.10.26.3689762.pdf

Ars Technica reports that Google is now giving Postini protection to its enterprise customers who use its hosted email services. That's great, but I dont really trust them with my data let alone my customers. For smaller businesses wth less in house expertise, I can see that as a good play.

ADP posted the following on Friday.

Beginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not.

If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data.

WHAT YOU NEED TO KNOW:

Here is what you should be on the lookout for:

The "from:" address in these e-mails may have been spoofed to look like it is coming from ADP such as "emplservices292823@adp.com " or "adpcomplaintcenter@adp.com".
The subject line may read: "Agreement Update for [Your Company Name (Case id: ______)]" or "Complaint Update for [Company Name (Case id. #)]".
The e-mail may have an attachment named either Agreement.rtf or Agree.rtf or may instruct you to "download a copy of your complaint."
These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.
ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.

WHAT YOU NEED TO DO:

If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.

WHAT IS ADP DOING ABOUT THIS:

ADP's security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.

We appreciate your understanding as we work with law enforcement and you to resolve this matter.

Third Brigade product integrated into Trend Micro antivirus software

We've decided that McAfee Portalshield for Sharepoint isn't cutting the mustard so its time to look for other products. The Sharepoint guys are working on upgrading to Sharepoint 2007. From what I've heard McAfee doesn't support Sharepoint 2007 yet. McAfee Portalshield has had a couple annoying habits anyway. Once we installed it, we had to restart IIS on a scheduled basis, otherwise the sites would become unavailable. We also had one compressed file that would constantly get detected, and we could never figure out where the file was located.

One of the sysadmins installed Forefront for Sharepoint and asked me to check it out. I really don't remember why we didn't go with this a year ago. I like Sybari products and this should be pretty much the same thing as the newer Microsoft Forefront branded products.

As I began to eval, I attempted to upload an eicar file. Forefront successfully detect this, but I also received a detection from Symantec Antivirus Corporate Edition (the file system antivirus) for Eicar in C:\Program Files\Microsoft Forefront Security\SharePoint\Data\ADF\VxData\eicar.00.ext. I figure that I need to exclude the data directory in SAV. It would be nice to find a KB indicating that, but no joy thus far.

Next, I uploaded cain.exe into my Sharepoint My Site. Actually, it rejected cain.exe because it is an executable so I renamed the file to cain.ex_. Sybari had a incredibly stupid configuration where they only scanned file types known to be potentially malicious (this setting isn't visible to the admin and is on by default). It seems that this behavior has held over to Microsoft Forefront, because cain.ex_ is not detected on upload. I initiated a quickscan of My Site in Sharepoint. Forefront still detects nothing, but I received a detection
File: C:\WINDOWS\Temp\3e540056.$$$
Virus: CainAbel
It appears that Forefront is unpacking its scanned files in Windows\Temp. This seems incredibly foolish. I'm wondering if this has something to do with using the Clean setting rather than the delete setting. Either way, this shouldn't happen.

There are several lessons to be learned from the recent penetration of monster.com and the subsequent phishing attempts. In this attack, recruiter accounts were compromised and used to download around a million monster user records. These records were used to created targeted phishing attacks purported to be from interested employers.

The first thing I'm wondering is how these recruiter accounts were compromised. Was the account bruteforced? If so, why did Monster allow the use of weak passwords? Why didn't Monster lock the account after numerous bad password attempts. I sure hope the people whose accounts were compromised didn't use that password anywhere else, or if they did, they should be frantically changing them.

Even if the account(s) were compromised through the use of a keystroke logger on the recruiters system, why were they able to download so many records. Shouldn't that raise some sort of red flag?

In the case of the phishing, users need to be aware that requests for their personal, bank and credit information needs to be treated with suspicion. Beware what information you make available on such a site in the first place.

As I wrote about this morning, I've had some issues with SAV 10.1.6.6010 and ccapp.exe.

The first issue with ccapp and vptray not loading was traced to bad permissions on the files msvcp71.dll and mcvcr71.dll. The logged on user didn't have rights to the files. They were needed for ccapp.exe and vptray.exe to run. That problem is solved. Lets here it for process monitor from Microsoft.

I called Symantec about the SMTP issues. They suggest that I remove the internet email scanner where it is a problem. Seems odd after all these versions that I'd suddenly have a problem with it. I checked with my fellow Symantec Admins over at myitforum but no one else has had this happen. Looks like I'll be deploying without the Internet email plugin.

I had one other problem on one computer. ccapp.exe - Application Error. The instruction at "0x010e1feo" referenced memory at "0x010e1feo". The memory could not be read.
After uninstalling the internet email scanner the problem did not return in our brief testing. I'll have to keep an eye on that.

I'm trying to upgrade my Symantec Antivirus CE to 10.1.6.6010. In the small test group I've got going right now I've got two issues.

1. the error "The application failed to initialize properly 0xc0000022." for both ccapp.exe and vptray.exe occurs when the guest account logs in. (I need to do some checking to see what happens when I log in as a regular user).

Investigation with SysInternals Process Monitor shows that it checks for msvcp71.dll in c:\program files\common files\symantec shared\ not finding it there, it finds the dll in system32. After opening it, it then tries to write to it. Of course regular users cannot write to dlls in system32. Actually on my computer, it looks like the user who did the installation gets full control and no one else gets any access.

Another user reports that ccapp crashes at logout and the account never successfully logs out.

2. I'm also having reports of trouble sending email, but I haven't checked into that yet.

I'll either update this post when I get to a solution, or create a new post with a trackback to here.

Over at BroadbandReports, I ran across a thread linking a wilderssecurity thread with screenshots to just about every antivirus product. One of the posters noted that some of these antivirus products allow you to "skin" them.

Call me an old fuddy duddy, but skins have no place on antivirus products. I seem to recall both Winamp and Real Player having security vulnerabilities due to their skins. That may be acceptable for media players which need to be hip. I just expect my antivirus to work. I dont want to know its there.

We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was "Hot Pictures." Sunbelt Software's analysis of this file is really good. You can view that online here.

The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.

I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.

I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).

update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we'd already caught those messages.

I received what appears to be yet another false positive in Symantec Antivrius. Adware.cpush was detected in c:\program files\filezilla\uninstall.exe.

Filezilla is a ftp/sftp program from Mozilla. This has been on my computer for a while, so I tend to believe it is a false positive. I'll update this thread if I see anything from Symantec on this subject.

update 7/16 12:20pm:
Symantec sent ouf the following email
-----Original Message-----
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Monday, July 16, 2007 12:13 PM
Subject: LiveUpdate posting to correct False Positive
The July 16, 2007 LiveUpdate posting will correct a false positive detection
on some installers or tools created using the Nullsoft Scriptable Install
System (NSIS). This FP caused such files to be incorrectly detected as
Adware.CPush. This FP was first introduced in
RapidRelease definitions build number 70817 (version 07/14/2007 revision 32)
and in the 07/15/2007 revision 2 LiveUpdate and Intelligent Updater
definitions. It was corrected in RapidRelease definitions build number 70822
(version 07/15/2007 revision 4).

Today's LiveUpdate and Intelligent Updater definitions will also correct
this FP. These definitions will have the version 07/16/2007 revision 21.
Current ETA for posting is 10:30AM PDT. An additional message will be sent
approximately 30 minutes before the LiveUpdate virus definitions are
available for download.

Symantec sent an email early today to its Platinum customers reporting that they are working on a tool which will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security.

The tool will update all supported versions of SAV and SCS to the latest decomposer engines to address the SYM07-019 vulnerability.

They estimate this tool will be released by the end of the day on Wednesday July 18th, 2007 US Pacific Time.

I wasn't particularly looking forward to upgrading my 10.0.2 clients to 10.1.6. So hopefully this will make it possible to easily upgrade the vulnerable component.

After hearing about Postini's sale to Google, I wrote earlier this week wondering if Message Labs were also on the market.

A Friday article in the Financial Times reports that Message Labs has been positioning itself to be bought. As Brightmail, Frontbrdge and now Postini were purchased, it is hard for me to see if Message Labs is the the odd man out or if their value is greater now that other options have been removed. The article also states that if a sale is not complete, an IPO could be in the works (reminds me of the Sybari IPO where Microsoft bought the company).

The article reports that likely buyers are McAfee, TrendMicro, IBM and HP.

Multiple vulnerabilities have been announced today in Symantec Antivirus. The most critical of these vulnerabilities could allow arbitrary code execution.

Currently users of 10.0 and 10.1 are being advised to upgrade to 10.1.6.6000. 10.2 is not affected. Hopefully the guidance here will become more clear. During last year's SAV vulnerability it took quite a while before MSP files were released for all supported product branches. Right now, I would have to completely upgrade the client instead of installing a small patch.

Yesterday, I attended a webinar on Symantec Endpoint Security 11. It should be available for ondemand replay at some point on at symantec.com.

A lot of people including myself have been very negative about the Symantec product, virus detection rates, and product support. I'm actually starting to believe that Symantec is turning things around. Yes, I know this brief ray of hope will soon be crushed by more Symantec nonsense. But for now, for this blog entry, I'll focus on the positive.

Symantec Endpoint Security, formerly code named Hamlet, is a single agent, single console solution. In the past people have implemented piecemeal solutions. So the clients have anti-virus products, antispyware products, and a personal firewall. Each of these products require a separate management point. They each require upgrades and management. There is a incredible cost to the old "best-of-breed" approach. Back then "kitchen-sink" solutions like Symantec Client Security were bloated beasts that weren't the best at anything. McAfee Total Protection was the first vendor to grab my attention with a consolidated approach. Lets see what Symantec brings to the table.

• Antivirus - as I've blogged about before, Symantec is doing much better on the AV tests.
• Antispyware - Includes Veritas technology VxMS to detect rootkits. They feel this is superior to rootkit detection in other products. I'm not convinced though that the product is overall better in spyware detection than Webroot or Sunbelt. But it may be worth it to preserve resources.
• Intrusion Prevention (Network and Host) Generic exploit blocking (currently in SCS) Proactive Threat Scan (from Whole Security) Deep Packet Inspection
• Device Control - restrict data leakage (not a lot of info on this that I noted)
• Symantec NAC

This is all with a single agent. According to the presenter McAfee is using multiple agents in its product.

They had some interesting memory baseline numbers:
Symantec Antivirus Corporate Edition - 62 MB
Symantec Client Security - 129 MB
McAfee Total Protection - 71 MB
Symantec Endpoint Protection 21 MB
That is a very significant number. We have been very concerned about each security solution adding a burden to the computer.

There is a public beta. To sign up for that, or for additional information, check out www.symantec.com/endpointsecurity.

This sounds interesting. Of course I would never install a dotZero release from Symantec. But about 6 months after release this could be of interest.

On Friday, I received an email from postcards@kissesonapostcard.com with the subject: "Hi there, an old friend has just sent you a greeting card and a kiss!" It was sent to the infosec board's mailing list so there is no chance this is legit.

The message contained a link, "Get your greeting card here" hxxp://send.kissesonapostcard.com/a_friend.exe (hxxp munged by me to avoid people accidentally clicking on a link).

Kaspersky detected this file as IRC.Zapchast so I submitted the message to my email hygiene provider.

Now most people wouldn't have done that because their email antivirus product has no hope of detecting links to malicious code in emails. Since mine purports to do this, I submitted the email. Surprisingly, two days later, I got a email back with a case number. Another two days later, I was asked by support to save the offending message as a .msg file and then zip it and send it to them. That kind of annoyed me because I included full headers and the html of the message.

As long as I was thinking about it this file, I ran it through virustotal again. This time most of the vendors are catching it.

This evening after the latest SAV update, I'm seeing detections on all of my systems with the Windows Resource Kit installed. The files instsrv.exe and srvany.exe are detected as Hacktool.

Both files are used when creating a service.

We'll see if they back off this detection, or if it will be yet another thing we have to whitelist (and whitelisting doesn't work so well in the version of SAV I am running. Vendors need to do a better job being flexible about potentially unwanted programs.

update - received an email from symantec
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Friday, June 22, 2007 10:07 PM
Subject: Symantec Security Response will post LiveUpdate virus definitions today, June 22, 2007 PDT

This posting is in response to a false positive detection on the file srvany.exe from Microsoft's Resource Kit. This FP was first released in Rapid Release definitions 70045 and later in the 6/22/2007 rev.33 Intelligent Updater and LiveUpdate definitions. The false positive has been corrected from Rapid Release definitions #70065. Anadditional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.

Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.

According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.

**update** - Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.

The antivirus gateway detected an interesting email this evening.

Envelope From: nobody@[edited]
From: cmplntscentercase[at]bbb.org
Originating IP 207.210.105.78 which is an IP address in Canada according to ARIN.
Subject: Complaint Case Number: 363619942 Joe User
(It contained the name of the recipient.)
File: Embedded inside the attachment complaint.doc in an exe 'MicrosoftWordhasencounteredaproblemandthedocumentwasnotfullyloaded.Pleasedouble-clickontheicontoreloadmsword.exe'

There were multiple detections on this file:
W32/Heur-Dropper.gen.a-5e19-3e29
W32/Generic
Exploit/RTFEmbeddedExe

This email is similar to http://orwwa.bbb.org/release.html?value=61 from earlier this year. In that instance the users were tricked into clicking on a malicious link rather than conned into opening a viral attachment. According to this SANS diary entry, the link was to a EXE inside of a RTF document. So while the style of attack isn't new, this email could indicate a new spam run of this virus.

Here's a sunbelt blog entry on the same virus. In that blog entry Alex Eckelberry reports that the file downloads more malware, tightvnc and winrar. He also has the body of the message which confirms my suspicious based on the message subject that this is highly targeted.

PC Mag has an article with the results of the latest av-test.org Antivirus bakeoff.

I'm kind of surprised Symantec did so well. It seems like just a few years ago they were days behind other vendors in releasing updates. They even beat McAfee who only had a 87.28% detection rate.

The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here's the result.

File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES

Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki

As Steve Spurrior would say while coaching the Redskins,"6 and 10, not too good." Virustotal will pass on this file to the vendors who didn't detect it and they'll "coach 'em up."

A posting on the MyITForum.com SMS discussion list reports that Symantec Antivirus 10.x and above may include a capicom.dll.

MS07-028 says that third party applications that distribute the Software Development Kit version of capicom will need to be updated.

It is not know yet whether we can just replace the vulnerable version of capicom ourselves, or if we need to wait for a SAV update. If its the latter can this be a liveupdate fix or will a MSP be issued.

Regular readers of my blog know that one of my many duties at work is to administrate what was once known as IMLogic (now known as Symantec IM Manager). I've complained loudly and frequently here ever since Symantec bought IMLogic . This post is more of the same. ;)

IMLogic would keep me up to date about new releases. Symantec released version 8.2 without letting me know.

IMLogic worked hard to stay on top of new developments in the IM industry and let me know what actions I should take. Yahoo announced their web IM a few days ago. I still haven't heard from Symantec about the best way to make sure that Yahoo Web IM is either blocked or monitored.

When Symantec bought IMLogic and Microsoft bought Sybari, I predicted that the Sybari - IMLogic integration was not long for this world. As I read the Symantec IMManager release notes for version 8.2, I see that Antigen for IM is no longer integrated. Here's a support article about that.

Fortunately, it seems this version doesn't have a lot new that I care about.

Real-time Enterprise Vault export capability
Groups and Group policies based on IP address ranges
File transfer control by type
Internationalization And Localization Changes
VMWare Support
Oracle 10g Support

AVComparatives.org has a new report comparing malware testing organizations. Based on the subject "Anti-Virus Testing Websites: An Overview on Which Testing Sites can be trusted and which cannot" I was kind of expecting a comparison of the various online scanners. Instead I'm greeted by a paper with some of their testing philosophy and why they are better than everyone else.

It didn't do much for me, but I'd still suggest adding their RSS feed to your reader so you can keep up on their new studies.

I'm seeing email detected stopped by my AV.

Subjects:
Worm Activity Detected!
Worm Alert!
Virus Detected!

the attachment is a password protected zip file. The name isn't coming through cleanly because my vendor replaces special characters with codes I don't understand.
patch=2d3834.zip (2d may be code for "-" and then I think there are four random numbers in the file name).

update - sans now has a blog entry on this http://isc.sans.org/diary.html?storyid=2612

At 2:15pm today,I started receiving virus alerts indicating a new virus is being spammed using fake war news to socially engineer the recipient into opening the attachment.

SANS has a post about it here.

Characteristics I've seen:
Subjects:
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
Missle Strike : The USA kills more than 1000 Iranian citizens
Missle Strike : The USA kills more than 10000 Iranian citizens
Missle Strike : The USA kills more than 20000 Iranian citizens

Attachments:
movie.exe
Read More.exe
video.exe
Read me.exe
news.exe
Click here.exe

If your antivirus is capable, or if you've just blocked executable attachments, this is a non-event for you. Otherwise, warm up your thumb, and keep hitting reload until your antivirus vendor provides an update.

I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.

I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I' would like to replace the corporate antivirus that we currently use on our desktops and servers. I've been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec's lack of support, virus definition corruption problems and confusing update structure.

Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They're like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.

Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren't available and all that is left is heuristics and behavior profiling.

The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don't have a problem with it being in my environment. But because Symantec made an error in the version I'm running, I can't completely exclude it from detection.

It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.

Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that's a real issue. Is it better or worse than my Symantec problems.

This afternoon I upgraded Symantec IM Manager from 8.0.12 to 8.1.4. I needed to upgrade to allow the new Live Messenger 8.1 client to work. IM Manager 8.1 is a different code branch than 8.0, but I wanted to see what was new in it as long as I was upgrading.

As I installed I noticed that it was adding .Net 2 to the server. After the install, I ran a Microsoft Update, and sure enough, Symantec installed .Net 2 without the latest security patches.

The 8.1 has a different web design than 8.0. I kind of like it. While browsing through the options, I notice that liveupdate is one of the listed update methods. The IM Manager updates are still separate. They have embedded the Symantec scan engine into the product so if you enable it (enabled by default on new installs) it will use Symantec AV to scan file transfers. I currently use Microsoft Antigen for this purpose. Because we don't have a lot of file transfers via IM, I may save some money at renewal time by ditching the Microsoft Antigen.

Windows Vista is available for purchase through retail channels beginning January 30th. Its times like this that make me wonder, "where is my serial number for Symantec 10.2?" To my knowledge, I haven't been sent a serial number by Symantec. As a result I don't think I can download SAV 10.2 which is the version you need to use with Vista.

This is the Tao of Symantec. One serial number for 10.0, another for 10.1 and another for 10.2. God forbid you want to use the latest release and you're not a platinum customer. I've just about had it.

To deploy 10.2 clients, I'm going to have to upgrade my parent server first. It is not good SAV mojo to have the server be a lower version than any of the clients.

With the release of Vista, I think the pressure for us to provide SAV for Vista clients will grow. It started with the volume licensing release of Vista, and grew from there. I don't know how I'm going to find time to work with SAV 10.2 unless I come in on the weekend and do it. That assumes I'll have found a working serial number.

Miles to go before I sleep, Miles to go before I sleep.

My manager asked if we had any news on when Symantec IM Manager (formerly IMLogic) will support AIM 6 and Triton. Its been over two months since Symantec sent out a notice saying that AIM 6 will not work when IM Manager is used. Its been over four months since the customer advisory that AOL Triton 1.3 and 1.5 will not work.

When you invest in a vendor (such as Akonix, Facetime or Symantec) you are betting that they will continue to develop the product. There are always new client versions, and if the vendor doesn't move to support them, your users will be left in the IM stone age.

My call to support to ask about their progress in supporting these products did not begin well. After waiting on hold for 15 minutes, I spoke to the person who collects the info necessary to route the call. My call was answered by the technical guy who said "hello." What the hell is that? Who am I talking to? It sounds like I was routed to the janitors closet. Next he asks me for my case number. Shouldn't he already have that in front of him? So I ask my question, when will AIM 6 be supported by IM Manager? His response? "What's that." Well that instills confidence that this call will go well. So I tell him, that AIM 6 is not supported and does not work with current versions of IM Manager, I have checked the knowledge base and read the article on what is supported already. What I want to know is are they working on it, and what is the timetable. His response? He tries to read the KB article about supported clients to me.

I then tried to call Symantec customer service both to comment on this idiot and to try to get the answer. Unfortunately customer service has a hold time of 45 minutes thanks to the "new" licensing process. The licensing process is not new, I fought with that abomination in November and December.

Symantec has done as I predicted. They have bought and ruined yet another good product.

F-Secure has a blog entry on the latest virus varients from the stormwatch virus.

Subject:So Unique
Feeling Horny?
Full Heart
Sending Kiss
Just You
Heart of Mine
I Love You Soo Much
[events]Our Wedding Day
Love at first sight
Dream Date Coupon
Back Together

Attachment: flash postcard.exe
postcard.exe
greeting postcard.exe
Greeting Card.exe

Those are just some of the ones I have seen.

I'm seeing some interesting things in email this weekend. The first is some email detected as "Exploit/Mime-boundary-quote". MIME boundary issues may be exploited so that a SMTP gateway email scanner will not detect a virus, but Outlook will be able to interpret the MIME as an attachment. Well, its not getting by our scanner.

The second thing I'm seeing is more Stration virus variants being spammed out. As you'll recall, Stration is most often characterized as having an attachment named postcard.exe. I'm also seeing an attachment message.dat.cmd. At the time we received the new Stration it was detected heuristically. The signatures weren't yet available.

F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject "Happy New Year!"

I saw that at my site last night. Actually, I probably wouldn't have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn't get filled up with all the phishing detection notifications.

eEye has sent out an email alert about a new worm they are calling Big Yellow attacking systems running versions of Symantec Antivirus and Symantec Client Security.

This is the same vulnerability that was patched by Symantec in June 2006. There were previous report of exploitation on EDU networks back in November. But according to eEye it is starting to gain some traction.

Check if you're running a vulnerable version of SAV 10 or 10.1 here. And as always practice defense in depth by running a personal firewall, particularly when not on a private network.

On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.

Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).

The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I've used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn't take that long.

This evening I received several virus alerts from a computer indicating a Bloodhound.Exploit.104 infection in a file in the temporary internet files folder. The filename ended in "videojs.js".

Bloodhound is Symantec Antivirus's attempt at a heuristic detection. The writeup at the Symantec website indicates that Bloodhound.Exploit.104 is a heuristic detection for Microsoft Internet Explorer DHTML Node Normalize Vulnerability (as described in Microsoft Security Bulletin MS06-072).

A quick Google revealed that videojs.js is a javascript used on the website video.google.com. A visit to that website, and soon I too had Symantec detecting the bloodhound.exploit.104. (and the video would not load) I am using the 12/12 rev 19 virus definitions.

I looked at www.symantec.com/avcenter and found that there is a newer virus definition available. I used liveupdate to update to 12/12 rev 51. This seems to have solved the problem.

The SANS Internet Storm Center is reporting exploitation attempts against unpatched versions of Symantec Antivirus 10 and Symantec Client Security 3.

The vulnerability first announced in May (with patches trickling out over the next month) allows remote code execution on a computer via Symantec's remote management port. To reiterate, this vulnerability is exposed remotely only in managed versions of these products.

DShield is showing a remarkable uptick in scans against this service port currently.

To mitigate against this attack, personal firewalls should be blocking access to this port when the computer is on the Internet. When on the corporate network, the Symantec Antivirus management ports should only be accessible by the Symantec parent server.

Of course the best bet is to be patched. The list of vulnerable and patched versions is available in the Symantec writeup.

The post is mainly an as it happens record of a call to try to get a license file for one of my Symantec products. Its not necessarily going to be funny, interesting or informative. Sort of like the rest of my posts.

Right now I'm waiting on hold for Symantec. It took 20 minutes to get through to someone in customer support. I can't get a license out of their darn licensing website. The customer support guy couldn't do anything but read irrelevent knowledge base articles to me. ("How to download from fileconnect", "How to register at the licensing site"). Hello are you listening to me?

So this guy decided pulling it would be too much work to actually solve my problem so he is transfering me to the "licensing specialist." Any bets on whether this will actually be a licensing specialist or if has he merely dumped me back into the 20 minute customer support queue in hopes that he wont get my call the second time around.

- 30 minutes in - I'm reminded of the advice in "Internet Help Desk" by Three Dead Trolls in a Baggy, "always put them on hold, it takes the fight out of them".

- 33 minutes in- I'm installing JAVA Runtime Environment 1.4.2-12 so maybe my McAfee for Sharepoint will work.

- 43 minutes in - wow, this is the most ecclectic mix of music.

- 53 minutes in - shouldn't have drunk so much Pepsi

- around 65 minutes in - lost the connection.

- Tried to call the number I was given for customer service and it is not valid .

New call to support since its the only number I have. Vent a bit about my Symantec experience so far today. Guy goes to check on something

-10 minutes in on second call -
guy says I dont need to talk to licensing and the hold time there is one hour right now (would have been nice if they guy on the first call had set that expectation).

I'm being transfered to customer service again. Oh and apparently the number I have for that is correct, not sure why I got a busy signal then.

- 34 minutes into the second call - the customer service drone could not help me and is transfering me back to licensing. His oh so helpful suggestion is that I call back in the morning when the hold times are less. Quote of the call: "You're from Virginia, where is that?"

- around 90 minutes into the second call, I got licensing, and we stepped through the website. We found that it had actually imported the newer certficate even though it didn't display on the website. There was an advanced search that I hadn't tried that turned it up. Once I did that there was an option to register the serial number. that's kind of odd because that is what I thought I was doing when I imported the serial number into the website.

They've made a complicated mess of licensing that is causing a lot of problems. I'd say of the people I talked to today, two cared about solving the problem and reducing frustration. The rest of them couldn't be bothered.

This evening at work someone is attempting to spam us with email containing a emule.exe attachment. Its getting detected as FormSpy by Message Labs.

According to the McAfee blog, previous versions of FormSpy have "hooked mouse and keyboard events in the Mozilla Firefox web browser. It can then forward information such as credit card numbers, passwords and URLs typed in the browser to a malicious website."

Today Symantec I'M Manager (formerly IMLogic IMManager) took far more of my time than I really planned. Last night I got approval to block AIM 6 users until I'M Manager supports that version. The method provided by support was to redirect or block a specific host name. The problem, which I discovered later is that host name is also used for AIM Triton. So redirecting that host name broke AIM Triton which had been working for months. I really don't see a way to block AIM 6 without taking out Triton as well. It would be easier to deal with this if I was sure Triton 1.3 and 1.5 were successfully being filtered by I'M Manager before. If they were bypassing the I'M Manager protection for the past few months, I dint feel back about blocking them now.

So that was my morning. After a series of afternoon meetings, I found that I'd received the I'M Manager renewal license certificate in the mail. Unfortunately, Symantec has changed how you download license files and I haven't figured out how to do that yet. I also notice that I the Serial Number gives me access to the 8.0.x version of the product rather than the newer 8.1. What's the deal with that?

fixing title, doh!

Symantec has had a problem with virus definition corruption in the past few versions. I must say the way it fails in version 10.0.2 is rather annoying. In versions 8 and 9 it would fail by having the service stop and it would no longer contact the parent server. So you would have to audit for missing machines in the SSC or use a product like SMS to look for systems with stopped Symantec Antivirus services. There is also an application log event indicating virus definition corruption.

In 10.0.2, the client still reports into the SSC, but it often does not list a scan engine number. the definition number does not update. This is better because you can look for systems that are online with out of date definitions or a blank scan engine number.

The part I find a problem is that in the application log of the afflicted computer, it says "virus definitions are current." There is no indication to the user that their sav is broken. When you look at c:\program files\common files\Symantec shared\virus defs, I am seeing virus defs from a couple of days ago even though the SSC is reporting one of the older defs being in force.

So how do I fix it when I get into this situation? I've heard of some people at other companies who would replace the contents of c:\program files\common files\symantec shared\virusdefs\ and c:\documents and settings\all users\application data\symantec\... I guess I'm a bit scared to do that. I wonder if I have to match OS version. Do I have to match SAV versions? Writing scripts saves time in the long run, unfortunately you have to make time now to get it right. I just dont have that time. So I do things the manual way.

The Manual Way
In c:\program files\common files\symantec shared\virusdefs:
1. delete the most recent folder containing a virus def. In this case its 20061025.039
2. Edit definfo.dat to match the redaced number of virus defs. In this case CurDefs changes to 20061024.020 and last defs changes to 20060930.002
3. Edit usage.dat. There should be one "date" indication followed by a list of sav components. In my case I see:

[20060930.002]
navcorp_70=1
navcorp_70_2=1
[20061025039]
defwatch_10=1

Next go to c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\. I remove all the files in this directory (not the folders). I then remove all the folders in the i2_ldvp.vdb folder.

Stop and then start the symantec service. If everything is happy it should create a new folder with todays defs in the virusdefs directory (assuming you are on a corporate network getting updates through vdtm) otherwise run liveupdate.

This rant seems to have turned into a knowledge base article. Keep in mind that symantec.com/techsupp is a much better place to get symantec help. I'm just rattling off some thoughts.

This is rather weird, every system has the 20061024.020 and the 20061025.039 defs in the folder but report in a previous def version. How very odd.

Tonight I'm working on a brief article for our the I.T. Department's newsletter that is distributed to the company.

I'd noticed that some outbound email was being detected as a virus when people copied a webpage into an email and sent it. All that Javascript made the scanner unhappy. I think the rotating banner ad was also a problem because the email was then different each time it was loaded.

So the article was pointing out how to avoid the problem. The Exchange administrator advised the best way is to just send a link rather than the entire article. That reminded me that some infosec people don't believe in sending links. Rather you're supposed to just tell the recipient to go to site X and enter a search term.

I can see this now. "Go to www.fnord.ch and search on Bin Laden. You know this is not a virus because I'm making you type in the link and do a search yourself." Where's the protection there? Of course if its "Go to the BBC site and search on Bin Laden" then its safer. Its safer because people are to lazy to do that much work unless nudity is promised. :)

Security through unusability may be acceptable to some, but its not to me.

Symantec wrote about the threat of EFS being used to hide viruses from administrator accounts and system.

Of course if you don't run as administrator, the virus wouldn't (as easiliy) get the chance to create to create a new administrative user and use that account to encrypt itself. Another suggested best practice when Windows 2000 first came out was if you aren't using EFS, then disable it. If either of these practices were followed, this wouldn't be a problem.

McAfee wrote about this problem 6 weeks ago.

There is a virus family now that uses this technique.

Mondaq.com has an article on the Scansafe v. MessageLabs lawsuit. The website requires free registration.

MessageLabs was under an agreement to rebrand Scansafe's HTTP security as their own. After about a year of that, MessageLabs decided to take it in house, giving two months notice.

I've had great fun in my HTTP Security project as I've dealt with both vendors, and am fully aware of the back story. I would guess that the vast majority of MessageLabs customers have never heard of Scansafe.

Scansafe sued alleging the contract requires longer notice than a two month notice, and also that MessageLabs in creating their in house version is living off the ScanSafe good name.

I agree with the Judge in this case. Its kind of hard to be accused of misappropriating someone else's goodwill when you are licensing their software to use under your own name. You are authorized to appropriate the goodness of their software as your own. The problem comes in when there is an implication that the new in house version called version 2.0. They say that implies its based on the original software.

So now MessageLabs is required to tell prospective customers that the Web Security is not based on Scansafe. Apparently they are free to then tell the users horror stories about Scansafe's product and why MessageLabs had to bring it in house to do it right.

Apple somehow manages to blame Microsoft when Apple ships a virus preloaded on some IPods. Gee, I thought Apple was super secure and didn't need any of that fancy stuff like antivirus. Most companies have learned that scanning for viruses before shipping is part of quality control.

I expect that soon User Friendly will have a comic strip showing how the Microsoft blackops team planted this virus on the iPods.

Here's F-Secure's take.

I've been beating this drum for years.

Joris Evers wrote at news.com yesterday about the problem of targeted virus attacks. The headline calls it the future of malware.

One of the interesting things he notes in the article is that targeted attacks are using exploits in commonly used programs. So if the bad guy has a previously unknown zero day in Microsoft Office, it will get past a virus scanner and it will get past primitive file extension blocks.

The amount of zero day attacks aren't limitless (it only seems that way). So the attacks would tend to be used against the high value target.

There was another article this week, that suggested its hard to get the antivirus vendors to even write a signature when one company suffers a targeted attack.

As I see it, the solution is the same as before, limit administrator rights, use HIPS, and used heuristics/sandboxing where possible.

John McDonald writes in the Symantec Security Response Weblog regarding the importance of updating virus definitions.

Yes, updating virus definitions frequently is important. Why then does Symantec only supply a liveupdate once per week to people still running version 8 and 9? Why does Symantec only update the Intelligent Update once per day? Why do I have to use XDBDown to be able to check hourly for the latest updates? Why does Symantec discourage the use of the Rapid Release definitions? Why does Symantec often rate poorly when comparing vendors update speed when new viruses come out?

The author reports that, "Among the home users surveyed, just 46.3 percent said their antivirus software is up to date." Is this an indictment of the usability and effectiveness of their antivirus software? Shouldn't the vendor work to make the software stay up to date on its own, not break, self-heal where possible, and lastly inform the user if they need to take action to make it work again.

His defense of virus definitions is kind of weak in my opinion. The author states that with the exception of SQL Slammer, most viruses start out slow, and you are protected if you download the virus definitions before it reaches you. This reminds me of the fire department. They aren't there to prevent you from ever having a fire, they are there to prevent it from destroying your whole neighborhood. Frankly, I 'd rather not have the fire in the first place. In this age of targeted attacks, motivated by money and backed by criminal concerns, I am not willing for my company to be the victim that allows everyone else to stay safe.

I'm rather disappointed with his stance against heuristics. I think it is working rather well for McAfee thus far. In this age of zero day attacks, we aren't going to turn to third party patches, and antivirus can not always protect us. We need to consider adding HIPS to the corporate desktop protection suite.

I'm seeing some viruses detected this evening with generic names.

Subject: hello
Subject: Mail Delivery System
File:document.msg.exe
SubJect: Fwd: ls878grz.dallas.net mail server report.
Subject: mail server report
File: Update=2DKB3500=2Dx86.exe
body.elm.scr
Virus: New Malware.n

Subject: Error
File: body.msg.pif
Virus: New Malware.j

Here's an Australian IT interview with Message Labs executive Adrian Chamberlian.

Sure its a bit of marketing material, but I find it interesting.

Imagine a world in which terrorists target government websites with millions of spam emails.

Or a world in which viruses take over your computer, turn it into a zombie, and use it to send out more spam.

It's called reality, and it's going to get worse.

The popularity of mobile phones means text spam will increase, mobile phone viruses will go from concept to reality, and voice spam -- automated calls that bombard you day and night -- will become common as marketers take advantage of cheap VoIP calls

They expect to see more companies turning to managed services such as what they provide. Actually that worries me a bit. If they are protecting too many desirable targets the bad guys might focus on them and how to penetrate the ML defenses.

I noticed that a few copies of W32.Stration were detected in the inbound email today. Its a nice break from all the Phishing and mytob.

It seems like someone decided that Symantec is no longer a favored company. I think it started last year when support hold times were up over an hour. Whatever the cause, SAV admins are looking for any opportunity to complain. SAV updates the product, complain. SAV doesn't update the product, complain. SAV doesn't provide updates in the method you'd like, complain.

Which leads us into today's item. An admin from the University of Richmond would like the ability to push out SAV updates via the Symantec System Center. Does he enter a feature request? No! He posts to the Full Disclosure mailing list as if this were some sort of discovered exploit.

Symantec does need to take a look at distribution systems such as those used by McAfee ePolicy Orchestrator or Webroot SpySweeper Enterprise. But ultimately, this is an enterprise product, and enterprises invest in products such as SMS to perform software rollouts.

Consumer Reports reviews antivirus products in its September 2006 edition. Most of the article requires a subscription, as a result I have not had a chance to look at it yet.

McAfee responds in their weblog. The author "Igor" obviously has no clue who Consumer Reports is. As a result, he is confused by the September 2006 date. Since the material is undoubtedly part of the September 2006 edition of the magazine, that is the correct way to date the article on their website as well.

Igor gets his nose out of joint because CR used a live fire test, creating new viruses in the lab. Igor prefers tests where three month old virus definitions are used so any virus that came out after that can be tested as a "new" virus.

Complaining about that reminds me of when a vendor complains about the method of disclosure to distract from the vulnerability in their product. (although there is actual damage from full disclosure and no damage from this private lab test). Igor needs to get over it. Signature based detection is dead, and antivirus products will be judged by their heuristic and behavioral protections. That said, CR needs to look into the standard virus testing methodology. They are unaware of the testing performed by av-comparatives for example. These types of tests are not as new as CR imagines.

http://www.avertlabs.com/research/blog/?p=71

Symantec IMManager 8.0.5 is out with release notes located here.

This release includes support for Yahoo Messenger 8.

Symantec IMmanager (Imlogic) support slipped further this month. They implemented futher changes to integrate the IMLogic purchase with their exisitng support framework.

The knowledge base was integrated into Symantec's existing knowledge base. Before it was possible to sort the responses by relevancy, date modified, and by how many customers used an answer. It was also easier to restrict the search results by version and product.

It is no longer possible to enter tickets via email.

Creating a ticket online has migrated to a new system, and I have not been provided with a password.

Calling support is now as annoying for IMLogic as is for the antivirus product.

It was easy to communicate with IMLogic. I am afraid that this has been lost in the Symantec purchase.

"Symantec Security Response will post LiveUpdate virus definitions today, August 3, 2006 to address an Adware.VirtualBouncer false positive detection on pskill.exe from Sysinternals."

Looks like Message Labs has gotten themselves into a legal entanglement with web scanning provider ScanSafe.

As I've posted earlier, Message Labs was reselling Scan Safe's web security product. This spring I received a notice that Message Lab's web security version 2.0 was available and it was now integrating Message Labs proprietary Skeptic antivirus software. In my opinion Skeptic is the most successfull antivirus heuristic available and I wanted to see how that did with web scanning. Scansafe has their own unnamed zero-day antivirus protection (I always kind of thought they had licensed skeptic but who knows).

A Judge has ruled that Message Labs calling their service "2.0" would cause customers to think they were still reselling Scansafe. ML will be required to disclose this change to all current and future web protection customers.

I had suspected Message Labs may have dropped Scan Safe and brought everything in house, but I wasn't sure. In the defense of Message Labs only people like myself who read press releases ever knew about the name Scan Safe. No one at Message Labs used that company name with me until I brought it up.

I was having problems sending email through my ISP earlier this week. The error message I was receiving from Outlook Express was

Your server has unexpectedly terminated the connection. Possible causes for
> this include server problems, network problems, or a long period of
> inactivity. Account: mail.example.com, Server:
> 'smtp.example.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes,
> Error Number: 0x800CCC0F

"An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email."

It turns out, that Symantec says:

If your Internet service provider uses the SSL in email protocol, you might have problems sending email messages. In this case, you might need to disable Symantec AntiVirus email scanning.

In order to be able to send email and use SMTP over SSL, I had to disable the Internet Email scanning within Symantec Antivirus. This is still secure because the file system real-time protection will still scan any file attachment. Message bodies will no longer be scanned, and the message will be scanned at attachment open/save rather than when the email message is open. For years Symantec didn't even have a Internet Email scanner in their corporate product, so I don't think disabling it is a huge risk.

About a month ago, my manager asked me for some help in interpreting the results from a scan she had run using Foundstone Superscan. She is in a security course as part of her Master's degree at GW. The scan results strangely showed port 110 and 25 open. This didn't make any sense to me. These ports shouldn't be open on a end user's desktop or laptop. I used SuperScan on my own desktop and laptop and obtained the same result. I tried to verify the results with Nmap but it kind of bombed out on me. Next,I looked at the most recent STAT results and saw that it too was seeing those ports opened. Multiple scanners agreed the ports were opened, but I couldn't determine why.

I tried to connect to the ports manually using telnet and netcat but no banner was displayed. It looked to me like I was not able to connect to the port. This remained a mystery unsolved until this week. I was at a HIPS seminar put on by Third Brigade and I read the readme for their product. It reported that Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email. I cant find confirmation in the Symantec Knowledge Base, but I have found confirmation through a writeup from GFI.

Shouldn't Symantec only be proxying outbound requests? This internet mail scanner plugin is intended to be only on end user computers. By answering requests from external scanners, they are opening the computer to any vulnerability in their SMTP and POP scanning service. Defense in depth would use a personal firewall to block such access.

This SMTP scanner seems to be more trouble than its worth. We've had issues sending email to some mail servers with it enabled. I'm going to post later about my experience with SMTP over SSL and this scanner. The computer will be protected by the File System Real Time Protection. This Internet Mail protection does little but preserve a clean inbox.

I spent most of my Saturday upgrading Symantec (IMLogic) IMManager. We have two servers running that, one acts as a proxy for public IM traffic and the other looks at LCS traffic. Prior to implementing IMManager we had a track record that once a month a user would get their computer infected through IM and then spread it to their contacts inside and outside the company.

The upgrade process wasn't the smoothest thing I've experienced. I didn't follow their advice to try it in a lab environment first. I felt like it would take me more time to set up the lab environment and even then it wouldn't prove that I could upgrade production successfully, only that I I could upgrade the lab successfully. I decided it would take about the same amount of time to fix whatever problem occurred on the production machine

I backed up the database to allow for a fall back position, I reviewed the release notes and all available documentation and jumped in. Symantec provides a lot of information in the documentation, the release notes, and in knowledge base articles, so I was able to create a decent upgrade plan.

I received an error on my update indicating "an error has occurred in the installation of the IM Manager. Description: Failed to install the IM protocols engine. Would you like IM Manager setup to continue." There was a support article with a few things to try. (missing dll, Windows Installer not started, and you're just screwed). None of those suggestions were relevent. I'm wondering now if I the problem was a failure to stop the upgrade service as they recommended.

To resolve the problem, I had to uninstall by hand. There is a knowledge base article for this, but its pretty obvious what to do. Delete the install directory. In the registry, remove the uninstall key and the service keys. I then installed 9 from scratch. Since I had a SQL database on another server, the configuration was preserved.

I am still missing support for Yahoo Messenger 8 (they are working on that for a future release), and I had had a weird problem where I had to reboot to get the server to listen for AIM traffic, but other than that I'm pretty happy. Hopefully it will continue to work on Monday when the users come back.

IMManager is integrated with Microsoft (Sybari) Antigen for IM to provide antivirus scanning. I upgraded that a minor build number as well. The only new development there is to allow encrypted LCS traffic and also support LCS 2005 sp1.

http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm

"A spat has erupted between the two security services companies
folllowing CA's accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware."

Amazing, I actually agree with CA about something.

ZDNet reports on a security breakfast hosted by email hygiene firm Message Labs. Graham Ingram, General Manager of the Australian CERT, said that the most popular brands of antivirus have an 80% miss rate in cases of new malware.

Its the same thing I've been stating for years. Signature based antivirus will let you down. They are very good at dealing with old viruses, but not so good with the new viruses.

eEye has reported a remote code execution vulnerability in McAfee ePolicy Orchestrator versions prior to 3.5.5.438. This version became available January 2006 but was not marked as a security update.

I tried to download an evaluation copy of McAfee Portalshield for Sharepoint today. After filling out the required contact information and accepting a license agreement, I'm taken to a screen that says

McAfee PortalShield 1.0.1 - 81.47 Mb -
www.mcafee.com1-800-338-8754.

I've got plenty of choices for a Sharepoint Antivirus vendor. So I'm thinking of just moving on to the next vendor on the list.

A post to the Full Disclosure list reports a local denial of service in McAfee Antivirus Enterprise 8.

http://seclists.org/lists/fulldisclosure/2006/Jul/0157.html From: John Doe Date: Sun, 9 Jul 2006 10:53:21 -0700 (PDT)

A local Buffer Overflow was discovered in McAfee VirusScan Enterprise 8.0.0.

The overflow can be triggered within the "Buffer OverFlow Protection Properties" by creating a buffer overflow exclusion. Then fill each field with data, and click ok, and apply

Process name: AAAAAAAAAAAAAAAAA......etc
Module name: AAAAAAAAAAAAAAAAAA......etc
API name: AAAAAAAAAAAAAAAAAAAAA......etc

This will trigger various exceptions based on amount of data added to each field.

This will DoS the AV . McAfee AV will not run correctly again until Buffer Overflow Protection is disabled or the Buffer Overflow Exclusion is removed.

Its become obvious to most that reactive signature based antivirus products are not sufficient to protect computer systems. In Kaspersky's viruslist.com Oleg Gudilin looks at whether proactive protections will be a cureall for viruses.

The article has a lot of interesting graphs from AV-comparatives.org and av-test.org.

I agree with him that vendors are using terms like proactive and zero day incorrectly. Some vendors have implied to me that no update is necessary, but when pressed on how they provided protection against a specific new threat, the first thing they said was an update was deployed.

Where the article falls short for me is that it only includes proactive measures that have been added into antivirus products in recent years. It would be interesting to see how full blown HIPS products shape up.

On the whole, I agree with the author that proactive measures are necessary but that these will not replace signature based detections.

Catching up on some things from while I was out this week. We got a spike in detections of a new virus w97m/kukudro.a. F-Secure reports that the file is sent in a zipped archive. When opened, it uses an ancient exploit to run automatically. This occurs in Office XP and 2000 even if macros are disabled. In Office 2003 the vulnerability does not exist so the exploit will obey the macro setting. In many environments, the default macro security setting is to ask the user what to do.

Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he'd be saying if they were giving it away as they probably should be.

I dont really follow this all that closely. I'm currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I'm paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.

The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.

In May 2005 I wrote about the security analogy about the bear, two guys one of home stops to put on running shoes. Its "good enough security." I dont have to outrun the bear, I just have to outrun you. I opined that that good enough security is only good enough for when your security exists only so you can check off a requirement with a regulatory agency. In reality, targeted attacks destroy "good enough" security. What if the bear doesn't care about your slower friend, what about when its personal.

In the June 2006 issue of SC Magazine, the opening editorial makes use of this analogy and makes the point that good enough security doesn't work against internal attacks either. They would argue that the main defenses are policies such as job rotation, separation of duties and rotation of duties.

I glanced at my blackberry during dinner and saw a whole mess of virus alerts such as the following:

The message sender was
alerts@CNN.com

The message originating IP was 81.168.6.17 The message recipients were user@$mydomain.com

The message was titled Osama Found Hanged The message date was Thu, 15 Jun 2006 22:02:54 -0700 The message identifier was (empty) The virus or unauthorised code identified in the email is:
/var/qmail/queue/split/0/attach/3384881_4X_AZ-D_PA2__Photo=20and=20Article.exe
Found the W32/Sdbot.worm.gen.as virus !!!

In case its not clear that is the admin notification when someone sends a virus. Looks like another run of viruses being spammed. How many times have they tried the Osama bin Virus since 2001.

eEye has released additional details on the SAV 10 vulnerability.
http://www.eeye.com/html/research/advisories/AD20060612.html

As rumored the vulnerability is in the remote management, and would allow an attacker to run code with system priviledges.

Overview:
eEye Digital Security has discovered a vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.

The SANS Internet Storm Center has information answering my question on the conflicting info on whether or not you have to open the attachment.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

They go on to say that the virus is poorly coded and does not do everything the writer is trying to achieve. There are two versions in circulation, with the second being an attempt at a bug fix.

Symantec 6/12 virus defs detect this.

Yamanner is written in Javascript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user's Yahoo email contacts.

Mitigation is tough at this time. You can't disable javascript and still access Yahoo Mail. The viral messages are from people you know. You could not open unexpected messages, but that kinda negates the purpose of the Internet in my opinion. Users in the Yahoo Mail beta are not effected.

There is some talk over on the Full Disclosure mailing list of a worm on Yahoo Mail. They say it is exploiting a vulnerability in Yahoo Mail so that when you open an email with the exploit it will send email to gathered yahoo addresses.

Symantec has a writeup here.

JS.Yamanner@m performs the following actions: Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

Contacts the following URL:

[http://]www.av3.net/index.htm
Sends a list of email addresses gathered to the above URL.

Its not clear from this if the user is required to open an email attachment to be exploited or if it occurs as the email message is opened.

EICAR is the antivirus industry standard for verifying that the antivirus scanner is on, it can detect something. Its a harmless line of text.

According to a post on the Full Disclosure mailing list, McAfee is misidentifying EICAR as elspy.worm.

The misdetection was reported when McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file was used. I have not verified this report.

Message Labs is rolling out an update to its antivirus scanning with a new feature called link following.

The free Link Following feature will automatically examine all email messages containing URL links. Upon seeing a particular URL for the first time, Link Following will allow the email to continue on its path while it creates a copy of the URL for further investigation. Link Following actively (either heuristically or manually) follows these links and checks the linked website for viruses or other types of potentially harmful content or payload. If a suspicious link is confirmed as viral, a signature is created and any further emails containing that link are treated as messages containing a virus. This means that they will be quarantined for fourteen days under the same MessageLabs Anti-Virus procedure currently in place.

Good article post over at boardfish (second post down on the page) on patching using the msp files. Its similar to the method I advocate.

I'm really not sure why they have him create a second administrative install point for the second patch.

Also not sure why you'd patch the install point and then reinstall from there instead of merely rolling the patches to the clients.

Are we free to use any MSI method we prefer? Or are there Symantec specific ways of doing things?

I dont see it reflected on their public bulletin yet (give it some time), but the ftp site now has updates for 10.0.2.2000 and 10.0.2.2001 to patch them with the resulting version of 10.0.2.2002.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.0/updates/

These patches keep trickling out, if you are running an earlier build of SAV 10 than is currently patched, keep waiting, I'd expect it out in the next couple of days.

ISC is reporting that the exploitation occurs through the management port that is opened on managed SAV clients. I haven't seen a source for that. If your personal firewall policy is really granular, for example listening to only the parent server on that port and no one else, then you may be in good shape.

If Marc had simply informed the manufacturer of the problem, and told no one else, we'd be in about the same shape as we are now. Their version of responsible disclosure does little to allow people using this product to protect themselves other than hope for fast patching. That isn't always feasible in an enterprise environment. I suspect most people are working on patching flash and quicktime still, that is if they bother to patch applications at all.

SANS ISC is reporting that

Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.

What exactly does this mean? In the not so distant past patching Symantec has meant testing and rolling out an entirely new version of the product. If you know anything about mst files, this is much simpler. I guess some people are expecting this to be deployable through liveupdate. Not sure where they'd pick up that expectation. Deployment of this patch will require a reboot, but if you used an enterprise ready method of deploying SAV in the first place, deploying a patch isn't that difficult. The biggest problem I expect is the user revolt that requiring another reboot will cause.

Here's the breakdown for those like me who know version numbers better than this mr mp pp versioning system.

For SAV Corporate Edition the following versions have patches available.
Unpatched-> patched
10.0.2.2010->10.0.2.2011
10.0.2.2020->10.0.2.2021
10.1.0.394->10.1.0.396
10.1.0.400->10.1.0.401

Surprisingly Symantec has not patched the initial release of SAV 10.0.2.2000. I dont know if a patch is coming for them or not. Apparently 10.0.2.2001 users need to upgrade to 10.0.2.2010 or 10.0.2.2020. Basically its applying one mst file for the initial update and then another mst file for the point patch. (can be combined in one command such as msiexec /p "patch1;patch2") I guess that is easier than doing a full upgrade to 10.1 although that would at least get some new features.

Additional patches for localization and platform specific (does that mean 64 bit?) has an ETA of Tuesday. I find that approach interesting because Microsoft chooses not to favor its English speaking customers, prefering to patch systems at the same time.

Symantec has released patches for Symantec Antivirus. The files are on their ftp site but the support site isn't updated yet.

It looks like since I'm running 10.0.2.2001 that I'm going to have to apply the 2020 build mst file (MR2, MP2) before I can apply this fix. :(

I guess I have to learn a bit about mst files. I think I should be able to chain the two files together but I'm not sure of the exact syntax to use when pushing that out with SMS.

Eeye is reporting that

a remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.

This is reported in SCS 3 and SAV 10. Currently it is not known if they have tested earlier versions or not.

This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.

The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.

If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.

Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occuring for a while.

While watching a little NASCAR this evening and IMing with friends, I decided to check out the Movable Type Support Forum. Movable Type is the blog software I use over at infosecblog.org.

The second I browse to http://www.sixapart.com/movabletype/forums/index.php I notice an odd script prompt:

Next I got virus alert popups from Symantec Antivirus telling me I had wmf exploits in my temp files!

It looks like Six Apart (the company that makes movable type) is using Invision Power Board version 2.0.4. A major vulnerability was announced on this version a few days ago.

Moral of the story, if you haven’t learned it already. 1) patch your system. 2) up to date antivirus 3) even when you aren’t surfing the seedy underbelly of the web, you can get exploits thrown at you.

I’ve sent an alert to the ISC as well as to the webmaster at six apart.

The Microsoft Anti-Malware Engineering Team reports on their blog that they will be participating in virustotal.

For those that don't know, virustotal.com is a way cool website where you can scan a suspicious file against around 10 vendors. This might help you see what wacky name of the week one particular vendor is using for a virus. Also it might show you who doesn't have detection available. That's why a few AV vendors have declined to participate in virustotal. So I think its pretty cool that Microsoft is getting involved.

I'm seeing some Word documents being detected by the Kaspersky scan engine as Trojan-Dropper.MSWord.Lafool.g. I dont see a writeup of that on the Kaspersky site. The latest lafool varient currently written up is "f". None of the varients actually have much if any information in the writeup. Looks like I need to figure out how to submit this to support.

update: I checked the Kaspersky forums and found other people noting the same problem.

To report things like this to Kasperky, send the files in an password protected archive to "newvirus at kaspersky dot com" an write in the subject "possible false positives".

I found that they already had new virus definitions available the rectified the problem. I've downloaded them and tested the result.

I hate it when I see something, and my reaction is :meh: so I dont blog about it, but then a day later it gets blogged by others. I see the ISC has picked up the news that the Symantec Scan Engine has a couple of vulnerabilities. This has nothing to do with the corporate or consumer product that you use on your desktop. Rather is a server that you might use with the ICAP protocol to scan traffic, such as HTTP.

Symantec's writeup is here. Rapid7 discovered these vulnerabilities and has a writeup on their site as well.

http://notafanboy.blogspot.com/2006/04/kevins-discovery-of-latest-vundo-crap.html

Not sure what to make of this.

Protection against the zero day attack has been a buzzword in anti-malware software marketing. Its an important thing to have. You can't run a business while waiting multiple days for virus definitions to be released covering the latest attack.

Symantec Mail Security for SMTP 5.0 is an new email gateway solution that attempts to provide such protection. It combines Brightmail antispam technology with Symantec antivirus and content filtering.

http://www.securitypipeline.com/185303122?CID=rssfeed_pl_scp

One key new feature is zero-day protection against threats, which uses information on emerging exploits gathered from Symantec’s network of more than 3 million e-mail addresses. When a suspicious e-mail arrives at the server, this feature can be configured to automatically strip off and quarantine the attachment until a virus definition is released, or simply delete the message, said Caccia.

Many vendors are attempting to enable zero- day threat protection by adding multiple virus engines in order to maximize detection, but that doesn’t offer the same level of protection as Symantec’s new offering, said Tom MacArthur, principal of Storbase, a solution provider in Waltham, Mass.

“Although you get some incremental benefit from the [former] approach, it’s always better if you can catch viruses early on,” MacArthur said.

Hopefully there will be a bakeoff between this product and those that use multiple engines. It will be interesting to hear more about this approach. I wonder if it is using technology similar to the Real Time Threat Protection Service they just bought when they purchased IMLogic.

Neither approach is going to get 100% of the viruses. They are each vulnerable to targeted attacks. Message Labs on the otherhand uses a heuristic scanner (Skeptic) in addition to three scan engines. Even targeted attacks will have a difficult time penetrating this defense.

http://www.networkworld.com/news/2006/040306-trend-micro-data-revealed.html

My favorite portion of the article " an employee, who is no longer with Trend Micro,".

A Trend Micro employee, puts company reports on his home computer. He doesn't run antivirus on his home computer. But he does run a P2P program on the computer. Then the employee goes for the idiot trifecta and gets infected with a virus. The virus shares out the entire hard drive, and the Trend Micro reports including company data are shared on Japan's most popular P2P network. Good work.

Do we even need to stop an think about the lessons to be learned here or are they so obvious its hard to miss...

F-Secure's blog reports on a use of rapid polymorphism in the latest bagel.

I notice in the inbound email today a bunch of email with the following characteristics:
Envelope From: root@localhost.localdomain (may be gathered from sender computer as well)
Display From: service@IRS.GOV
Subject: receive a tax refund of 63.80
Virus: LinkAliasPostcard (I believe that means its a link to exploit code)

F-Secure blog writer Sean gives it to Microsoft with both barrels for daring to do research on rootkits.

First he blasts them for doing research into how an attacker might build a better rootkit.

Next he blasts them because in 1993 someone did that with a floppy.

I cant believe that someone at an antivirus company is blasting someone else for doing research into the dark arts. If my antivirus company failed to do research in to the dark arts, they would be in constant reaction mode. I'd prefer that they my AV company think of ways to 0wn my computer and then protect me from it. Otherwise, they are just taking my money and sitting on their thumb waiting for an attack. The attack of course would allow them to sell more product.

F-Secure is a cutting edge AV company. I dont think they sit around waiting for the bad guys to innovate first. So I dont know why Sean at F-Secure would blast Microsoft for doing this research. He compares it to research into Nuclear Fission.

McAfee had a major false positive on Friday that effected a lot of applications.

I've see reports that effected aplications include:
Microsoft Excel 2000
Macromedia Flash Player 7
Oracle J-Initiator Client
Oracle Client Applications
Borland Database Engine Drivers
Sun Java Runtime Environment v2
ADP Payroll Applications
CA UniCenter Applications
ProComm Plus
And Many More...

McAfee is reporting the most common false positives are:
usersid.exe Windows XP file
imjpinst.exe Windows XP file
ecenter.exe Dell file
ntfstype.exe Utility
adobeupdatemanager.exe Adobe Update Manager
gtb2k1033.exe Google Toolbar Installer
43gcjvgahnu44.ths Macromedia Flash Player 7.0 r19
excel.exe Microsoft Excel
graph.exe Microsoft Excel

If the files are in quarantine, you can restore them after updating to a later virus definition. If you've let McAfee delete them, you need system restore or backups.

According to the SANS Internet Storm Center diary, there was a false positive in McAfee defs on Friday. They asked a couple of questions that I thought were worth a blog entry.

How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
We use Symantec Antivirus in our environment. It sends an email alert to the antivirus administrator about each virus alert. The antivirus administrator should be able to make a decision based on his/her experience, the directory and filename of the reported file, and the number of reports.

Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
The ability to rollback virus definitions is built into the management platform for Symantec (Symantec System Center). Failing that backdating would have to be done by hand or through a script run on each cleint.

The antivirus companies have us addicted to updates. We need the fix. We're Jonesing for the fix. Every once in a while the we get a bad fix that nearly takes us out. In the past month Kaspersky has killed Exchange servers running Sybari. Microsoft Antispyware has uninstalled Symantec antivirus. And now this. (I think I"m forgetting a smaller incident Sophos had). Something is rotten in the state of antivirus.

We've got some problems today caused by an install of Symantec Antivirus version 10. On some Windows 2000 systems after installing Symantec Antivirus 10, the SMS client agent would no longer run. Investigation showed that WMI was possibly corrupt. We're still looking into this problem. Thus far I haven't found a way to fix it.

F-Secure has a little flash video used to illustrate the difference in update speed between F-Secure and several competitors.

Bluecoat came out today to pitch their caching proxy with antivirus and url filtering. The antivirus piece is a single engine. You can pick from multiple vendors for an AV engine, but there will be only one. They are doing nothing that I can see to address the problem of zero day viruses and targeted viruses. Their comment is that multiple antivirus scan engines slow things down too much. That is not what scansafe.net's service claims. I think the Bluecoat solution would still let viruses through. Its probably better than what we have, but is the difference woth the change?

I just got off the phone with Symantec regarding their 64 bit Symantec Antivirus client.

The Symantec knowedge base article on the subject says that it cannot BE a parent server and as a client it cannot do VDTM. Silly me, that made me think that the 64 bit client could be managed. Support tells me they are still working on that and claimed that it would be like a SAV 9 server trying to manage a SAV 10 client. This is very aggrevating as we've been waiting for a SAV 10 server to be in production in order to deploy the x64 antivirus.

The other news from that call is that no patches are available for x64. I could not get them to commit to whether that software was vulnerable to the RAR vulnerability in 10.0.2 x86 architecture or not.

[update]: They just sent me a document on how to configure the SSC to managed x64 bit computers. Its just like I remembered. Disable vdtm. Schedule liveupdates direct to symantec.

I learned about this over in a thread over at BroadBandReports.com. It seems that if you go to the writeup for the new Macintosh worm Inqtana.a over at the Symantec (SARC) AVCenter you get a virus deteciton of OSX.Inqtana.A in that temporary internet file. This of course is a false positive.

I am using the 2/17 rev 18 virus definitions. 2/18 rev 5 is out and reportedly that solves the problem.

Message Labs January Intelligence Report is out. Its worth taking a look at.
http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/January_2006?CMP=EMC-MLI-REPORTS

Below is one graphic from the report. It shows that 7 vendors were able to stop Nyxem.e heuristically (Message Labs, ISS, Kaspersky, Panda, esafe, fortinet, mcafee, nod32). After that the minimum windows of vulnerability was 3.5 hours before the first non-heuristic virus detection was available. Symantec brought up the rear releasing an update 35 hours after the initial detections. 15 hours after the virus was in wide circulation.

This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about “scantime timeout” and when I checked I saw that no mail was being delivered anymore.

After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari’s scan jobs (once I could get into its admin gui) and updated kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.

While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.

Dave Aitel over at ImmunitySec has released exploit code for the Symantec RAR vulnerability which was announced in December. This code has been released only to customers of ImmunitySec only. This is a sign that it is possible to develop an exploit for this vulnerability. Not only that, if history is any indication, the super dupper bad guys probably already have it and have been using it in secret in targeted attacks.

[update] - I see this is old news, this actually occured on 2/6/2006, but Symantec Deepsight Alert Service only told me about it now.

Shameless self-promotion really irks me. For months now Duncan McAlynn has been getting the tech press to promote his forum at Boardfish.com. This trend continues in the Feb 2006 Information Security Magazine. Symantec pulled the plug on their bulletin board in December, and Boardfish apparently put out press releases about how it was the community replacement for Symantec's board. The two boards have something in common. No useful content. Symantec's board was an ok resource for people without support. It was an exercise in waiting weeks hoping the single Symantec employee on the board will respond. Rarely would anyone else both to help out. Boardfish on the other hand, people are more likely to be willing to help, but there just isn't that much traffic.

Boardfish promoted itself as the place for online Symantec antivirus discussion when it had only created a symantec forum moments earlier. It just urks me.

This reminds me of the Chernobyl virus in many ways. While the hysteria doesn't approach the level of that hystericane, we still have experts taking credit for their dire prediction not coming true.

"The importance of media attention from an awareness and educational standpoint has been a very good thing," said Marc Solomon, director of product management at security vendor management McAfee Inc. "It alerts users to what may have happened and the destruction that could have occurred."

It also sells product.

We've been seeing a number of w32/brepibot.gen in our inbound email since noon today.

McAfee has a writeup on this virus here. McAfee updated their definitions on January 30th noting:

There were several mass-spammings of new Brepibot variants recently. The 4685 DAT files contain updated detection to cover the new variants. One example of a spammed message is as follows:

The email's I've seen have the following characteristics:
Subjects:
Photo
Photo Approval Needed
Campus Life
Photo Approval Required
Campus Life Article
FWD:Photo
Photo Approval Deadline
photo approval needed
Photo Approval
Requesting Photo Approval

Attachment:
Photo and Article.exe

Source IPs:
62.49.4.123
86.135.27.88
83.38.83.48
213.132.238.109
68.186.147.67
157.253.66.7
82.38.170.158
86.128.48.255
84.92.83.135

In my email, I'm seeing email detected as malware.ae. It looks like the messages are heavy on the html content. But from the subject, source IP, and email addresses involved it does appear to be a false positive.

I've opened a support case with Message Labs and sent them a few samples to find out more.

Just saw a virus detected as nyxem.e in the inbound email. I believe nyxem is another name for the mywife family of viruses. Looks like this is a new varient

http://www.f-secure.com/v-descs/nyxem_e.shtml posted today

One of the things I neglected to mention in the previous post is that by exploiting these sites, wmf exploits are served up by sites you may trust and go to every day. They may be your friends site, or the site of a small business.

Getting infected via WMF exploit isn't a matter of visiting hacker or porn sites, its something that can happen very easily if you haven't patched.

One good thing about that call is that I had zero wait time. Either no one is calling support this week or Symantec has really improved the Gold level response time.

I called SAV support just now. You see Symantec’s security bulletin says that SAV 8 and 9 are not vulnerable to the RAR buffer overflow. http://www.symantec.com/avcenter/security/Content/2005.12.21b.html

However my vulnerability scanner says I am vulnerable because my dec2rar.dll file is the wrong version.
%ProgramFiles%\Common Files\Symantec Shared\Decomposers\dec2rar.dll Version is 3.2.10.16

So basically I wanted to make sure that 9 is always not vulnerable. That there is no way I could still be vulnerable by having an older version of this dll. Basically assure me that my vulnerability scan detection is a false positive.

It just blew his mind. Gold support just is not prepared for a call that is not answered by the knowledge base already. To his credit, he put me on hold to ask for some help. But I’m just not that confident in their final answer that 8 and 9 are not vulnerable to the rar vulnerability no matter what.

IMLogic is reporting a new IM worm using the wmf vulnerability. This is currently related as low.

If you've got IMLogic, you're cool. Otherwise you might want to wach access to 168.169.78.19 cause the file is live. Oh, I hear the file is detected with the Symantec bloodhound defs, but I didn't want to test that for myself.

I learned through Donna's Security Flash about some testing av-test.org has done to see which Antivirus vendors can detect wmf files.

See the results from January 1st in a PCMag Article. AVG didn't fare so well. Aren't they one of the free products that people alway push instead of the more established vendors?

Well shit. Suddenly that decision to purchase IMLogic (the product not the company) is not looking so good. Symantec has just purchased them.

When Symantec purchases something, its almost as bad as when Computer Associates purchases something. First I would suspect all development will go in the crapper while Symantec figures out what they bought and what they want to do with it. Good buy quarterly updates. Goodbye support for AIM Triton, Google Talk and AIM file transfers. I know you were on the roadmap, but the roadmap is now burned.

Next, support will suck. I suspect my support team will now be replaced slowly by the "Gold" level drones that Symantec hires.

Third, I wonder what will happen with the Sybari integration? Will it disappear now that two corporate giants the two companies.

Will my product completely disappear they way L0phtcrack has since the @stake purchase? Will it reappear later as Symantec IM Manager.

I really expected Webroot to be picked off (as Pestpatrol was). I didn't think about the possibility of IMLogic being bought.

IMLogic is still a better product that Facetime or Akonix. We'll have to hope for the best.

I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.

I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.

Sybari (or is that Microsoft) sent out a security bulleting relating to WMF viruses. They are calling it WMF/Exploit.b, Alias: Exploit-WMF trojan, Exploit.Win32.IMG-WMF.a, Troj/DownLdr-QB

But most importantly, they warn:

****PLEASE NOTE****
For Windows platforms, users must set the "ScanAllAttachments" registry value to 1 for this filetype to be detected.

Domino Users:
For Domino, the following can be done:
1. Open the "notes.ini" file.
2. Add the ".JPG" and ".WMF" extension to the "AntigenAveExts" parameter.
3. Save the file.
4. Recycle services.

I always thought it a little sketchy that by default Sybari scans specific file types only. Hopefully Exchange performance wont grind to a halt when this change is made.

Just wondering if you guys who rely on attachment blocking in email to protect you are now blocking all image files to protect against WMF exploits? Enjoy your plaintext email existance.

I'll continue to enjoy the protection provided by Message Labs. Good antivirus enables business.

SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994

The following quote is from the AVERT email. AFAIK this was sent to a public list and may be disseminated.

Advisory
AVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

Justification
Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

Read About It
Information about Exploit-WMF is located on VIL at: vil.nai.com/vil/content/v_125294.htm

I tried to post this at dinner, but my blackberry doesn't do javascript. Just remembered to post this now.

All day spam directed to my company with teh subject Re: peeper cre has had a file detected as Possible Malware PNG/Generic. I have no way of knowing if this is related to the WMF exploits or not.

The following is a comment by editor Pescatore in the SANS NewsBites email:

[Editor's Note (Pescatore): There has definitely been an increase in attacks via links in IM messages. Users who will no longer click on a link in an email for fear of phishing are still clicking on links in IM messages - and usually clicking within seconds of receipt, as compared to email messages that may sit in the users in-box for quite some time. Enterprises who have made the decision to allow public IM services to be used by employees need to make sure that IM filtering services are put in place, and employees warned that IM screen names are just as insecure as email addresses.]

More bad news on the Windows Meta File front.
According to the latest SANS ISC Diary, McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

How does McAfee know how many infections occured? With Symantec my clients aren't reporting anything to them. Does McAfee have all client infections reported to them (both consumer and corporate)?

If you've read any security sites over the past week, you know about the zero day Windows Meta File vulnerability.

Well it keeps getting worse. Kaspersky reports that there is now a MSN Messenger worm that sends a link to a wmf exploit file. When you follow the link the exploit runs a vbs script to install a bot. Have a nice day.

They also say it is possible to exploit this vulnerability even if shimgvw.dll has been removed from the system. They say that disabling and then removing the dll provides a large measure of protection, but dont think you are safe.

It keeps getting worse. Is anyone else waking up at night thinking about this?

According to this article at Blink.nu, the MIcrosoft Online Crash Analysis is capable of detecting some worms and viruses. Not only that the recommended account is to initiate a scan through Windows Live Safety Center. I think that is pretty sweet.

Indian software company Sanra has announced a new anti-malware solution called Rudra. Rudra is a no-update solution that sounds like it is a mix of HIPS and tripwire. It assumes a clean system at install and then monitors for changes.

It seems like the documentation does a good job of describing what it is not. It is not virus definition based or heuristic based. But when it describes what it is, it is less forthcoming. How does it determine that a new program is a threat or not? Sounds like its a whitelist only approach to the computer.

A SecurityPipeline article says this program will be available the second week of January.

I learned of this article over at the broadbandreports.com security forums. Holy_Father, the author of hacker defender a common windows rootkit speaks about his motivation. I cant vouch for its veracity, but then I say the same about every news.com article I link to as well. :)

"Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users."

"Yes, antivirus products will protect you against wildly spreading threats like destructive worms. But the real danger for users is from pointed attacks, where private tools are used"

Don't forget as Message Labs has pointed out, targeted attacks are becoming more common. Don't think it can't happen at your company. This rootkit author sees his rootkit as forcing antivirus companies to develop better products.

holy_father says that today's heuristic scanners and polymorphic scanners are crap. They are defeated by minor changes to the source code of the malware. I can see that working against bad heuristics like Symantec's bloodhound, but I would hope that Esafe's sandboxing approach would provide more of a challenge.

Thomas Claburn writes in Information Week (reprinted by Security Pipeline) about the struggle of antivirus companies to keep up with attacks. Its an interesting timeline to follow the creation of definitions for the Santy worm.

It sounds like at least at some antivirus firms they may finally be ready to move on from the broken virus definition update model, and move on toward proactive defenses.

Symantec has decided that netcat is a hack tool! What’s next? telnet? Netcat is in number 4 on insecure.org’s list of top security tools.

I’m trying to decide if this is worth spending time on. I’ve been able to get Ghost Mail by Robert Yale off of Symantec’s hit list in the past. But I think this might be a tougher argument. Its like the radmin detection. It’s a common enough tool, but if one person uses it for bad, oh no it must be designated for removal. I think Symantec is playing fast and loose with the "extended security threat" categories. Sooner or later everything will be listed there.

Its not as if Symantec makes this easy to ignore. First you add it to an ignore list for the realtime scan. Then for the scheduled scans. Then the real fun begins. You have to disable the startup quick scan (with 10.0.1.1000 and later this is an option in the SSC), and it looks like you may need to disable the defwatch scan according to this article http://tinyurl.com/cokvu Lastly, users may create their own scheduled scan. You can't exclude netcat from that, all you can do is program it to leave it alone.

Businesswire reports that the Seattle Times is deploying IMlogic IMManager

Their primary goals are:

• gain visibility into staff instant messaging (IM) use
  
• ensure compliance with internal and external use policies
  
• prevent cyber threats from entering its network
  

ZDnet repeats a Akonix press release reporting that IM Worms have been increasing in November as compared to October.

Its kind of satisfying that 36% of the worms target more than one network. Back when IM Worms first came out they were occuring on the Windows Messenger network first and the Microsoft bashers were lining up to take their swings. Those critics fell strangely silent after more worms targeted the AIM network which is more widely used in the U.S.

Do you trust reports from security vendors? They profit by selling software to protect against X. So are they unbiased when they say X is on the rise (thus you need our product).

I wonder if I could have bet on this in Vegas? What's this the third or fourth time in 6 months Trend has published writeups on a virus and said that it exploits a recently patched windows vulnerability only to later retract it.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4781 Trend Micro has retracted last week’s claim to have discovered a Trojan that could exploit vulnerabilities in the Windows graphics engine.

Some people are reporting false positives in bloodhound.exploit.52. This is Symantec's heuristic detection for the flash vulnerability. Over at the ISC one person has said this has only been an issue for them with people running Flash 7.0.19. If you haven't upgraded this is probably the version you are running.

At least one person reporting the problem is using rapid release versions of the virus definitions 11/10 rev 39 and 11/22 with unknown revision number. So this means if they've submitted the suspect files to Symantec this false positive could get fixed before the virus defs are widely deployed.

Symantec reponded to my virus submission, reporting that they are calling it spybot.worm. And the virus defs are in the latest rapid release defs. The response took long enough that I think it wasn't an autoreply. If its the autoreply, I know its not something new. I tried the rapid release defs on my own computer and then set xdbdown to download rapid release defs.

I also downloaded the file (img0099.com) and ran it on a vmware machine. Of course good viruses know when they are in a virtual environment and dont do everything. I also didn't set up a fake network connection, so I dont know what network downloads it may have tried. I'm tempted to try that, but I dont want to hose my real computer.

It did a lot of registry lookups. The main thing is that it created is c:\winnt\system32\express.exe and starting that with HKCU run and HKLM run/runservice. That file is also detected by the rapid release defs. The file is set as a hidden and system file so you may need to go into dos and run attrib -h -s express.exe (in the system32 directory).

The rapid release virus definitions I am using from Symantec is 10/26/2005 rev25

I had some users passing around an IM virus today. I'm still trying to get a handle on what virus it was to make cleaning it easier.

The users sent "YAY!! http;//home.earthlink.net/~lzingelmann/IMG0099.com" to each other. I downloaded img0099.com and submitted it to symantec (haven't heard back yet) as well as virus total. Virustotal.com saw a few heuristic detections and one detection as a kelvir.

I see over at Harry's blog that there is a new IM virus out today called virkel. That's really not good. It does more than attempt to spread. It tries to download other updates and act as a bot. I tried to be the nice guy and let the user take the laptop home with them instead of taking it from them (with the caution that they not log into aim). What a bad choice that was.

I'm still waiting on a useful IM security writeup. I may have to run this in a vm environment just to see what it does if the antivirus industry doesn't geete off their collective butts.

The funny part about this is some of the people who got infected were part of my Facetime evaluation. The veresion of Facetime that I am running did nothing to help this other than create a log trail for later cleanup. :(

F-Secure posted in their blog on saturday abouta new massmailer doombot.a and doombot.b. I'm seeing a little bit of doombot.b this morning in inbound email..

I was just on the phone with an IM Security vendor support number. I asked how to set up the antivirus scanning. For my trouble, I got a lecture on the dangers of allowing file transfer via IM. No kidding, thats why I want the IM Security software. If I merely wanted to disable all the features of the IM product, I wouldn't need your software!

I was wondering why Symantec Antivirus Corporate Edition version 10 was showing 400 files scanned during a defwatch scan. This isn't the scheduled scan. In the past, a defwatch scan is a scan of the files in quarantine and the scan has not shown up in the Scan History.

I found a KB article That explains this:

After you update virus definitions, a Defwatch scan runs. In the Scan Histories view, the "Total files" column the Defwatch scan entry shows a number of files that is more than the number of files in quarantine.

Solution:
This behavior is expected. In Symantec AntiVirus Corporate Edition 9.x or earlier, a Defwatch scan only scans the files that are in quarantine. In Symantec AntiVirus 10.x, the Defwatch scan also runs a Quick Scan. The Quick Scan scans any program files that are loaded into memory and common virus and security risk loading points.

Another nice improvement in SAV 10.

A lot of people are coming to this site looking for help for Symantec Antivirus Backdoor.Graybird detections on mc21.tmp or mc22.tmp. My post on my experience last Friday has been picked up by Google. Unfortunately they are linking to my main page instead of the article itself and that post is about to fall off the front page. (To be fair, blogsearch.google.com does have the correct link).

I have continued to see a few new detections of this at work. I need to check if those systems are up-to-date on their virus definitions. If they do have defs where this false positive is supposedly fixed, then there is still an issue.

By popular demand, I'm posting the email Symantec sent out last week. It is my belief that this information is considered public and not under any NDA. In other words Symantec please do not sue.

-----Original Message-----
> From: symalert@symantec.com [mailto:symalert@symantec.com]
> Sent: Friday, September 16, 2005 4:49 PM
> To: Me
> Subject: Unscheduled LiveUpdate definitions to be published in response to a FP
>
>
>
> Symantec Security Response will post LiveUpdate virus definitions today, September 16, 2005.
>
> This posting is to correct a false positive with Backdoor.Graybird detections.
>
> An additional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.
>
>
> ----------
> For additional information, visit our website at
> http://securityresponse.symantec.com

http://news.com.com/Sophos+Cell+phone+virus+claims+are+bonkers/2100-7349_3-5878621.html?tag=nefd.top

Back in Feburary, I wrote that Symantec Platinum customers were going to be getting access to a "Liveupdate Plus" server which would offer daily liveupdates.

Earlier this week Symantec announced that Liveupdate will now update on a daily basis on the "normal" liveupdate servers beginning September 24th. The catch is that this daily updates will be for SAV 10 clients only. I see this as good news that can only help mobile corporate clients that may not be able to get the VDTM update on a frequent basis.

I want to push SAV 10 out so I can take advantage of this. But its worth nothing that there are still advantages to VDTM in that you can set the client checkin frequency to more often than daily and also the updates are smaller.

Updating more often. When what you are doing isn't working, doing it faster probably isn't going to help. If faster virus defs are the solution, Symantec still has a ways to go. F-Secure had a record 11 updates one day this week. What ever happened to the Digital Immune System Symantec promised. Soon the virus defs will come so often, we'll just have a continuous update. An IV of virus definition files.

The long talked about Common Malware Enumeration initiative is set to get off the ground next month. It will be run by the Mitre Corporation (who also currently runs the CVE database). The purpose of this database is to make it easier for the media to hype up virus incidents and help buttruss the stock of antivirus companies.

It just gets so confusing when you don't know whose bagel.ac is someone else's bagel.af. And this will solve all our problems. Yeah right.

While I am all for a more understandable virus incident report at the end of the month, does this really improve security? Personally, I just want the viruses stopped. I don't care what you call it. Perhaps that is the innovation antivirus companies should be focusing on.

edit - posting this from firefox. apparently the version I'm running doesn't have a spellchecker like Internet Explorer. I need to upgrade my Firefox. Its really vulnerable. I hear the later versions of Firefox should have a spell checker in it. So pardon the misspellings. I'll try to get back later and run a spell check.

I just attended a session on Better Threat Scanning with Symantec Antivirus version 10 at the Symantec Virtual Academy. They offered people the chance to sign up for free sessions to showcase the virtual classroom. It was a one hour session where as their normal class on this subject would run across three days . Normally each day would have a few hours of lecture in the morning and labwork in the afternoon. The session used Interwise software. I think the last time I used interwise it created an autorunning item in my systray.

http://www.f-secure.com/weblog/#00000655

Mikko Hypponen wrote: Bottom line: if your organization is still, in year 2005, accepting incoming executable attachments in email, now might be a good time to rethink your strategy. Because it looks like these guys won't be stopping any time soon.

Wow, two antivirus companies in one week waving the white flag. I always knew that they couldn't protect anyone from a new virus, but I never expected them to admit it. At some point about 7 years ago this would have resulted in shocked disillusionment amongst administrators. But now days it barely elicits a ripple. I would have expected people to storm the gates of F-Secure demanding a refund. Why pay tens of thousands of dollars in protection money if the anti-virus cartel can't get the job done?

So we have to participate in a chaotic file blocking scheme because it doesn't look like F-Secure will be able to stop these guys any time soon. Soon they'll just shut down email altogether in the morning from 8am to 10 am. That when most viruses come though know. :)

First they came for the scr files
and I did not speak out
because I did not email scr files.
Then they came for the vbs files
and I did not speak out
because I was did not get any vbs files (and I was jealous of everyone else and their loveletter.vbs).
Then they came for the zip files
and I did not speak out
because I could send my zip files via IM file transfer.
Then they came for doc, xls and pdf files
and there was no one left
business was so disrupted everyone just went out to the bar for a pint.

apologies to Pastor Martin Niemöller

Did you see the October issue of Information Security Magazine? (requires free subscription, or try bugmenot.com)

In it, they have an article 'Best Advice' which is a collection of advice from 24 security "luminaries" such as Mike Nash, Mikko Hypponen, Congressman Tom Davis (!), and Eugene Spafford. Eva Chen, CEO of Trend Micro,'s "best advice" is "you can't stop a virus." Well, pack it up, game over. Shut down the billion dollar antivirus industry. If it cant stop a virus, what is it good for?

Eva's explanation of that quote, makes even less sense. She says that most enterprise customers have boundary-less, interconnected supply chains running on one global TCP-IP network. That somehow those interconnections are more important than stopping the virus. It sounds like her only defense against the virus is to shut down the network.

I marvel at the antivirus industry. First you sell yourself on the ability to solve everything. So that computers (at least those running windows) cannot be considered "secure" without antivirus software. Next when the myth of antivirus software is broken, that is it cannot possibly push out virus definitions fast enough to get all viruses, they attempt to sell add-on functionality. What you really need isn't antivirus. Its antivirus and a personal firewall, and a host based IDS. Fix your broken antivirus software rather than selling me additional pieces. McAfee for example has added in some buffer overflow protection into their antivirus product. Why is no one else innovating?

I can't wait for the correction. E.g. "eva didn't really say you can't stop a virus. Her best advice was really risk management needs to be multifaceted."

If you've got Symantec Antivirus and you've got Webroot Spysweeper, than you probably have seen a Backdoor.Graybird detection today. This is a false positive. The files typically detected are in the temp director and named mc21.tmp or mc22.tmp in my experience.

I have called Symantec support, the next set of virus defs released should solve this problem. The current set of Rapid Release defs do fix this but I'd rather wait for "certified" definitions.

In what is a very timely article for me Ian Parsons does a bake off of Instant Messaging security products. And sadly that may be the last nice thing I say about the article.

The introduction just doesn't make sense. He starts out assuming that the reader thinks they have bigger security fish to fry. Better places to spend their money. And that is true in my case. I am wondering if the big money these people want for IM Security is worth it when at the end of the day (this is one time its ok to use that phrase because I mean it literally) the user will go home and use the same computer on their home network and potentially download viruses. Of course the same thing can happen with email and the same thing can happen with http. So why put money into IM Security instead of instituting a massive lockdown and reduction of rights. Or perhaps go with a HIPS product that can handle zero day attacks. The author never explains that. Instead he makes some weird connection between email, internal newsservers, discussion boards and IM. I dont get what his point was unless it is that any place where data is interchanged between users, you want to have a server or network layer of antivirus. And IM is a growing catagory of exploitation.

Ok, but enough with criticizing the intro, lets look at the evaluation itself. The first thing I noticed was the absence of IMlogic. Since they are the biggest name in IM Security I would expect to at least see a footnote stating IMLogic wouldn't provide eval software.

Next, he didn't really set out what he was trying to secure. Are we talking about public IM only? Are we talking about Entrerprise IM only or a mix of both?

Next, some of the applications included seemed kind of out of place. Akonix RougueAware seemed more like a monitor. Facetime and IMLogic both have free software that does the same thing and both of them do it better. Why not include them if you are going to include the monitor only software.

Gordano just sets up its own enterprise server. I would think if you wanted an enterprise server, you'd have gone with Sametime, Jabber or LCS.

The inclusion of Surfcontrol also seemed odd, as it was really a threat shield installed on the client. That seems like its a different catagory of product.

Facetime was the overall winner with a honorable mention of the Blue Coat Proxy. I've got Facetime coming in Thursday morning and I'm looking forward to learning how they would secure the IM environment (and at what cost).

As I was leaving work today, I glanced down at the blackberry and saw pages and pages of virus alerts. In outlook that is filtered to another folder so I dont see it. The virus alerts were coming once per minute from a file in the users temp internet files.

After going to dinner :) I came back and found that the file being detected was a running process. Since SAV versions earlier than 10 cant end the process, it just kept detecting it and being unable to do anything. I used pskill to take out the process and then used SAV to delete the file.

Interesting enough, this user is not a local administrator. However, she also was not added to the correct security group for our "managed user" group policy to apply so she was able to get this autorunning under her hkey_user etc etc windows current version run registry key.

The file was BubbleShotter15[1].com and it was detected as Backdoor.Sdbot. Only other thing on the system that was suspicious was Plaxo. I hate that program.

The MessageLabs Email Security System discovered a possible virus
or unauthorised code (such as a Trojan) in an email sent
to or from your organisation.

This email has now been quarantined and was not delivered.

To help identify the quarantined email:

The message sender was
keithr1@cox.net

The message originating IP was 216.146.101.151
The message recipients were
username@example.com (edited)

The message was titled (empty)
The message date was Mon, 12 Sep 2005 08:02:26 -0700
The message identifier was
The virus or unauthorised code identified in the email is:
>>> Possible Dropper 'W32/Generic-6192-4fb4' found in '3384956_3X_AZ-D_PA2__1.cpl'. Heuristics score: 679
>>> Possible Dropper 'Exploit/HackedPacker-PeX-BagleMod.dam' found in '3384956_7X_AxX_PA3__embedded.ex_'. Heuristics score: 800

I was talking with an IM vendor today. We've got a budget to implement IM antivirus this year as part of a LCS implementation. The Instant Messaging antivirus would protect LCS, AIM, Yahoo Msg, MSN Msg, ICQ and down the road Google Talk. The price he quoted, I'm pretty sure is more than we pay per desktop for our corporate antivirus. I'm all for layered protection, but this is getting kind of expensive.

I'm thinking two things, 1) http antivirus is more important than IM antivirus, so perhaps my money should be spent there. and 2) why spend money for gateway products. They dont travel with the user to protect them when they are on the road. Perhaps the money should be diverted into a HIPS product with a good track record with zero day worms.

http://news.com.com/McAfee+to+sell+Postini+e-mail+security+service/2110-7355_3-5844325.html?part=rss&tag=5844325&subj=news

I'd be interested in seeing who owns what percentage of the outsourced email security $$$. McAfee reselling Postini is validation of outsourced email scanning.

I'm seeing some files named rechnung.pdf.exe detected as Troj/Downloader.gen!5564. Its probably the typical spammed virus often occurs on weekends.

I uninstalled SAV 10, and ran the SAV 9 version of no nav to get rid of any other odd remnants. I'd already run the windows installer cleanup utility. After a reboot and a new install, SAV 10 is working fine now. I'm running a "quick" scan. Its using 87 MB of ram. :0 Hopefully that does down once the scan is done. I have found on other systems SAV 10 seems to gobble up 30-35 MB.

I tried an upgrade on my desktop this evening to Symantec Antivirus Corporate Edition version 10.0.1.1000. The computer went into a perpetual reboot loop.

The errors I've dug out of the log dont really match anything. It could be the Adaptic Easy CD creater bug mentioned in the Symantec tech support site, or it could a kernel memory issue. I managed to stop the reboot loop by going into safe mode and disabling some SAV services. I think tomorrow I'll see if I can get a newer copy of nonav and remove all remnents of SAV from the system and try again.

Based on some discussion no the myitforum.com antivirus email list, I wanted to highlight a post I made back in january.

Apparently, I was wrong. Mydoom.a wasn't the deathknell of the file blocking crowd. People just added zip to the list of things to block and went on their merry way.

I really have to question that way of thinking. What happens when the next major virus exploits vulnerabilities in Adobe 7.0.1. Are you going to block pdf files until everyone is upgraded to Adobe 7.0.3? What happens when the next major virus is an exe embedded in a ppt file. Are you going to ban powerpoint. What happens when the next virus is in an image? Most of the major image types have had vulnerabilities lately.

Before you ban everything but text, I think its time to reexamine the true cost of a decent antivirus mail gateway. Perhaps esafe, messagelabs, postini, and Sybari should be considered over what you have been using.

We left a Trend Micro mailgateway for Message Labs and the difference is astounding. Rather than reacting to every new virus, I am totally confident that Message Labs will stop it before I even know its in the wild. And just because they are nice guys, they'll let the other AV vendors know about it so they can stop it too.

Symantec has reported a privilege escalation vulnerability in Symantec Antivirus 9, 9.0.1, and 9.0.2 as well as Symantec Client Security 2.0, 2.0.1, 2.0.2. The solution is to upgrade to MR3 or later.

Symantec is offering a free introduction to its new "Virtual Academy." As part of that you can take part a free three hour session online. For more info or to sign up, visit http://www.symantec.com/education/testdrive

This test drive module explains and demonstrates methods of updating virus definitions, gives the background of scanning technologies, and leads you through effective configuration of the Symantec AntiVirus Corporate Edition 10.0 scanning components. Scanning details include a synopsis of how to handle a virus outbreak in your network. Three hands-on labs are included, allowing you to practice skills learned.

This course is designed for antivirus network managers, resellers, systems administrators, client security administrators, or systems professionals and consultants charged with the installation, configuration and day-to-day management of Symantec AntiVirus Corporate Edition for Client & Server in a variety of network environments, and are responsible for troubleshooting and for tuning the performance of Symantec AntiVirus Corporate Edition in the enterprise environment.

There is currently one timeslot left and it has 41 seats available. Move fast if you are interested.

This in from the SANS ISC

McAfee released information as well: W32/IRCbot.worm

This is an IRC bot worm, and will scan for TCP port 445, and for file shares. McAfee reports in it's bulletin that systems not patched for MS05-039 will continually reboot. (emphesis added)

Actually they may do us a favor. If a tree falls in the woods and no one hears it does anyone care? To put it another way, if a system gets infected with zotob and no one knows it does anyone care? You can probably ignore zotob, just as people are ignorant of their botnet infections. You cannot however ignore your computer constantly rebooting. You'll scream to high heaven about that. That will result it you being able to clean, and having more leverage in patching (though it is already too late for that).

I'm getting virus laden emails detected as exploit-dcomrpc.g.gen. Could be zotob.C???

FileNames:
funny.doc=R49.scr
job.doc=r49.scr
$recipientsEmail.txt=r49.pif
full.txt=r49.pif

So we had a computer report in that it was infected with w32.spybot.worm with a file c:\winnt\system32\winpnp.exe. Symantec has reported that systems with old virus defs may detect Zotob as that. What's funny though is the writeup doesn't currently mention a file named winpnp.exe. I did see over at the SANS Diary that when a system is exploited, this file is downloaded via ftp. Unfortunately that probably means the SAV Threat Monitor (that's probably the wrong name for it) wont record the IP address that infected it.

Still trying to track this system down. It was connected in via the VPN when I got the virus alerts and its offline before I can find it again. End Point compliance would be worth its weight in gold right now. We're reduced to putting a note on the users door to catch the computer when it comes in.

On Sunday we had an impromptu patching party to make sure that critical Windows 2000 Servers were patched. I also made sure Symantec's Antivirus defs were pushed out.

I've been seeing a couple of viruses detected heuristically in the inbound email at my company.

Subject: Finally!
Subject: Finally! Captured!
File: pics.scr (could be inside a zip)

Fsecure has a mention in their blog that seems to match what I"m seeing. They call it bobic.d

This presentation was given earlier, but its worth mentioning again. At Blackhat this year there was a demo on owning systems through antivirus. It was more of a history lesson of the ISS discoveries which allowed remote code execution via many antivirus products.

http://blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#wheeler

I went to Symantec's Fileconnect site and they actually had the latest version of symantec available. 10.0.1.1000. Amazing. Downloading now. Tomorrow, I'll remote 10.0.0.359 from my test server and try out 10.

I'm sure the airing of the grievances will come after I install the software. :)

The SAV Installation Guide (savinst.pdf in the docs directory or check the support site) lists what is new in this release.

Security Risk Detection and Removal
This is Symantec's code for spyware, adware and assorted security risks. In this version Symantec can now detect spyware via autoprotect. This is an important improvement from SAV 9 which could only scan for this stuff during manual and scheduled scans.

We also now have the ability to have exception lists. Unfortunately rather than being able to add an EXE to ignore, we must ignore the entire spyware detection. Usually this is ok. For example with SAV 9, I have users who are constantly getting a virus detection for aports or Radmin. If I determine that is ok, then I would just whitelist it and never be bothered again.

Quickscan
Taking a page from the anti-spyware vendors, Symantec now has a quickscan that checks common hooks in the operating systems using by viruses and crap ware to autostart.

By default, the quickscan runs at every boot. Some people are finding this uses a lot of resources at logon. You can disable this behavior with a .reg file you can find at the Symantec support site.

You can run a quickscan at the beginning of a full system scan also if so desired.

Kill Kill Kill
No, that's not the voices in your head. Symantec now has the ability to kill processes or stop services. So all those times, Symantec couldn't remove a file because it was a currently running process...that's in the past. This sounds like a huge improvement.

Tamper Protection
We've all seen it. When a virus slips by an antivirus product, the first thing it does is disable the antivirus. Or perhaps it wasn't a virus, just a user deciding they didn't need to conform to company policy so they figure out how to disable it. Tamper Protection watch for this sort of thing.

The problem with Tamper Protection is that it cannot be used if you have any other real time security software. There are also reports of SMS causing many alerts.

I think the manual also says that Tamper Protection will remove the ability of non-administrative users to run liveupdate (assuming you allow anyone to manually run live update in your environment).

Test it in your environment, but it sounds to me like this is not ready for prime time.

Role Based Accounts
Instead of having one password giving access to the SSC, you can now create role based accounts to provide read only, administrator, Central Quarantine and gateway security accounts.

These are separate accounts and cannot use Active Directory accounts.

SSL
SSL is now used to secure the communications between management consoles (SSC), the parent server, and the clients.

This adds some complexity for disaster recovery and server migration. Make sure you read the manual on this area.

Alternative Data Streams
Now supports scanning for viruses in alternate data streams. I dont know of any viruses using this. But the virus researchers have been agitating for vendors to add support for this.

64 bit amd support
We've been waiting for this. I dont think we've installed it yet so I cant comment. I did see in the readme that updates are through liveupdate only, no VDTM.

IPXSPX Support is gone

Other
I notice that under server tuning, you need to check a bot to support downlevel clients.

I have only installed the server. Not having installed it on the clients yet, I cannot review the product. Just passing on a few notes from what I've seen and read thus far. Looks l like a solid step forward. McAfee still seems to be better about stopping web exploits and I dont see anything in this release that will change that.

Not sure why Symantec felt the need to mail out a new download code to allow me to download Symantec Antivirus version 10. It would seem to me to be better to just allow my current download code to access it. Both codes are valid through our current license period.

Looks like I've got some testing to do. Just happy to finally have SAV 10 in hand.

Symantec's got a new site preview up http://preview.symantec.com/index.jsp

The Security Response site is going to take some getting used to. Interestingly there is an activex object you can run to run live update. I still dont see anything l like what mcafee has where you can go to a page and it will tell you if you are up to date or not.

So you've got a virus. Lets skip the recrimination and determine what can be done about it.

Step 1
Check with your Antivirus Vendors latest virus writeups to see if you can identify what your are infected with.

Step 1B Check other vendor's sites.
http://www.symantec.com/avcenter
http://vil.nai.com
Trend Micro

If you can determine what you are infected with, they should have cleaning instructions, probably a manual cleaning process, but they may have a cleaning utility.

Step 2
Its a new virus. You couldn't determine what it was much less how to clean it. Looks like its time for some reconnaissance.

This is where knowing what should automatically run with your system comes in handy. We need to check what starts automatically on your system. The most obvious vanilla place a virus could be is in the run key in the registry. Open regedit and look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If you know your system, you may recognize something that should not be there.

Of course there are many other places something could start automatically. Spyware is more likely than a virus to hide someplace else, but you never know. You can download "autoruns" from sysinternals to look at other places where something might start automatically.

Step 3.
If you see something out of the ordinary set to be run automatically write down where an what it is. You can use google to lookup unknown files to determine if they are legit. If you cannot determine the validity of a file, upload it to www.virustotal.com. It will be scanned with multiple virus scanners and report back to you.

Step 4
If virustotal determines it is a virus, you need to figure out why your antivirus didn't detect it. Is your antivirus disabled? Some viruses disable antivirus software. Is your antivirus software getting updates? It may be broken or the virus may have disabled the ability of your software to update. If you have the latest available virus def from your antivirus company and it cannot detect the file that virustotal reports is a virus, then you need to submit it to your antivirus company. Each antivirus company has a different method for this. Note that virustotal says that it submits the files to antivirus companies, but I like to do it also so I get feedback from the antivirus company. Often they make a pre-release version of their virus definition files available so that the file can be deleted.

If you figure out a name for the virus (either from virustotal or from submitting the file to your antivirus vendor) this can be used to successfully find the virus definition writeup which will hopefully have complete removal instructions. Often virus encyclopedias are only indexed by virus name making it difficult to search for text from the viral message.

If you haven't seen it, its new to you. That was an old slogan of NBC for their summer rerun season. Well summer rerun season has started at the antivirus firms as they strive to get press coverage.

First we have Panda Software warning of a new hybrid worm. Get this it spreads like a worm and installs a keystroke logger plus downloading more malware. That doesn't sound particularly new to me.

IM viruses have caused many vendors to hop on the media circuit. Yet there is really nothing new here either.

Hackers Holding Internet Files Hostage. As Kaspersky points out, nothing really new here.

I swear I saw an AV vendor breathlessly report that viruses are targeting p2p systems by dropping infected files into likely p2p shared directories.

Next they will be telling me about the "new" horror of macro viruses.

User Education of current threats is one thing. But this is cooking up a press release to drive the stock price higher.

Over at Broadband reports there is a thread that starts:
"my friend sent me a exe file he said scan this with my antivirus and then no virus so i open this file and two reg line came added this %sytemroot%\mgs.exe %sytemroot%\expolorer.exe to the start up and here the link to this file "

That's one of those things where I wanted to bust out laughing and beat my head against the computer at the same time.

Just to be clear:
1. Never run viral code unless you know what you are doing. That would typically include a test machine and maybe a test network. At least a good firewall to prevent yourself from infecting others.
2. Just because your antivirus doesn't detect on what you suspect to be a virus, that doesn't mean its a good idea to run it just to see what is done.
3. If you have a file you suspect is a virus, upload it to www.virustotal.com. That will scan it with several antivirus scan engines so you'll have a better idea of what is up.

Perhaps this guy did know what he was doing when he ran the code. It just sounded so odd the way he wrote that so I figured it was a good teachable moment.

5 years ago today, the infamous loveletter virus was unleashed. This caused many companies to implement smtp server and gateway antivirus to prevent email laden viruses from reaching the user's desktop.

Over on the MyItForum AV email discussion list, a couple of the regulars reported older versions of Symantec Antivirus (pre version 9) had problems detecting some gaobot varients.

I wondered how this could be. I know that SAV 9 is configured to start earlier that previous versions. This was done to protect against some specific malware tricks. Is this the extra protection they are referring to or do older versions of SAV not get the scan engine upgrades.

Symantec has two types of scanning engines. Security Response AV engines are released throughout the year via liveupdate and intelligent updates. This updates virus detection techniques in the virus defs. You can look at the file properties to see the current version number on the engine binaries (naveng.sys, navex15.sys, navex32a.dll, naveng32.dll).

The Scanning Engine version number that you see in the UI refer to the properties of the navapi32.dll file. This file is involved with boot scanning functionality in the product. This is updated only with new builds of the file not with virus definitions.

Source:
Symantec KB DocID: 2002080609215348

I've been reviewing the Symantec Antivirus Corporate Edition version 10 Knowledge Base and found some interesting things.

1. They recommend running a secondary server in each server group. Being a small install base I've never done that. It does sound like as long as I backup everything I should be ok.

2. "Because Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10.0 contain a realtime spyware scanning component, Symantec does not recommend running third-party realtime spyware scanning programs on the same computer." http://tinyurl.com/arxay

3. A new setting called tamper protection that can have problem if you run other antispyware products. http://tinyurl.com/8657m

What are routine maintenance steps should be performed on a Symantec Antivirus Environment?

1. Confirm that all clients appear correctly in Symantec System Center.
2. Confirm that virus definitions are propagating to all clients.
3. Empty local Quarantines and Central Quarantine.
4. Review logs for anomalies.
5. Use the Audit Network function in the Symantec System Center to confirm that all clients on the network have antivirus protection.
For help with this, read the document How to find unprotected computers on a network using the Audit Network feature in the Symantec System Center.
SAV DocID= 2005041311261648

Symantec Anti-Virus manuals are available (assuming Symantec doesn't rejigger their website again this weekend)

The SAV 10 knowledgebase is also up.

W32.Velkbot.a when executed sends a message to all MSN Messenger, Yahoo Messenger, and AIM contacts on the compromised computer. The message is as follows:

"rofl
http://albound.com/pictures.php /r[email_address]"

The recipient must click on the link and download/execute the file to become infected.

Once infected you'll have %system%\winmsg.exe along with the usual run registry keys.

Additional bits of fun:
disables task manager and the regedit.
Connects to an irc server at afil.canadiangov.info and waits for commands.
They can do pretty much whatever they want at that point.

Links:
http://www.symantec.com/avcenter/venc/data/w32.velkbot.a.html

I can see how this is listed as high severity and high impact. But the contagion potential doesn't seem that high. It relies on one website that is likely shut down by now. If you are going to rely on a distribution mechanism that can be shut down hit your targets monday morning, not saturday night. During the week you'll get the office workers.

This virus is of concern because it is sending IMs to all buddy lists on the top three networks instead of just targeting MSN. Also the mesage likely comes from someone you know (strangers generally dont have me on their buddy list, and people can only contact me if they are already on my list).

// sort of a rant today. sorry.

I was trying to send a professor a file. Blackboard (a web based classroom) had choked on the submission so the instructor had requested I email the file. Unfortunately zip files are not allowed by the university and the file was stripped. That makes me wonder if any files are allowed.

Its kind of ironic really. Up until blaster, if you mentioned firewalling the students, Universities would respond with a shout about academic freedom.
We must allow bobby and susie to run ftp server, web servers, p2p and everything else all from their dorm room. Its about learning. But what about the safety of everyone else on the internet, your university botnets are taking down ebay.

But the Universities did not care until it began to effect them. Now they block all the file attachments. Is this really a good solution? Blocking attachments is the sort of thing I would expect from Windows hating, text email advocating people. Oh right, just the sort of people you find in a University CS department.

Blocking email attachments takes away a large amount of usability. Its admitting the antivirus product you've selected sucks. Its admitting defeat. I.T departments shouldn't curtail the business use of email just because they cant control viruses effectively. There are solutions like Sybari or Message Labs that do a good job even with newer viruses. There may be other solutions besides removing a file such as renaming it or quarantining it in such a way that the user can retreive it.

The age of wholesale blocking of file types is over. This approach must be reconsidered. Otherwise the next virus will say "please rename the extension from ex_ to exe and then run the program" and the users will do it.

FSecure posted today that more mitglieder variants have been sent out as spam. Not sure if that is what I'm seeing. Sounds like it though.
http://www.f-secure.com/weblog/#00000533

At my company I began seeing heuristic detections in our inbound email at 1:30pm eastern and lasted until 4:30pm. There were about 250 virus emails in that time period.

The file is 1.exe. Usually the message I get is about the actual viral code so that file is probably inside another file. There was not a single source IP address for the messages.

AVComparative's regularly scheduled antivirus scanner testing results is available.

http://www.av-comparatives.org/seiten/ergebnisse_2004_02.php

What does it really mean? I dont know. Does it matter that one scanner can scan a bunch of zoo viruses (viruses not in the wild) but another scanner misses it? I dont think so.

After looking at the scan results, I had a bunch of questions about their methodology. Fortunately they have written up how they went about this. I found that more interesting than the actual results. Very cool.

Its amazing the amount of companies that are willing to take your money and sell you antivirus software, but when it comes providing virus definition files, that costs them money so they are a little bit more reticent.

Kaspersky is one exception to this. They seem to have update available on an hourly basis. While there is a slightly greater chance of false positive, there is also a greatly reduced chance that a virus will slip through because an update wasn't available for it yet.

When you are a customer of Symantec, you have two methods of updating. Liveupdate into Symantec, and manually downloading the intelligent updater and running it. I dont think too many people are aware of the scripts available to download the intelligent updater. But thats a unsupported solution, so I'm not going to give them any credit for offering it.

Time after time, customers who rely exclusively on Symantec for antivirus protection have been burned. They must rely on antiquated defense mechanisms such as blocking file types at the mail gateway and disabling file associations for pif, vbs , etc on the desktop.

So what does Symantec do to resolve this problem? Do they innovate in antivirus software so their product is not so dependent on virus definitions? No McAfee is leading the way in that area. Do they speed up their release of liveupdate? Well, in a way. Their "Platinum" customers (read those with deep pockets) now have access to LiveUpdatePlus. This uses Live Update servers available only to platinum customers to send intelligent updaters every day.

So now customers can pay a premium to get daily virus defs. But others are left out in the cold to fend for them selves.

It reminds me of a Seinfeld episode where he is at the rental car counter complaining that they can take the reservation, but they cant seem to actually reserve a car for him. Symantec can take are money for antivirus software. But when it comes to virus defs in a timely manner, they cant do it. That would hurt the bottom line. I hate to say it but every time Symantec fails to protect its customers, reporters wrote about a virus that is running wild, and Symantec's stock price goes up. The reporters dont write about the failure to protect.

Symantec is releasing virus defs today (after 8:30pm) with detection for Bloodhound.Exploit.26. This is the UPX Parsing Engine Heap Overflow
vulnerability. Information about this vulnerability is available at:

http://www.sarc.com/avcenter/security/Content/2005.02.08.html

Basically if you are running anything earlier than SAV 9.0.1.1000 corporate edition you probably need to look into upgrading.

Live Communications Servers offer the ability for employees to communicate with one another. Like any communications medium, they are also a way to spread viruses. There are several MSN Messenger specific viruses that effect LCS.

It seems like a good idea to improve employee communication. For people upgrading from Exchange 2000, they get the LCS server for free. They've already got the client access licenses. They're just left with the cost of hardware. So how do you get management to fork over 20k for Antivirus when the rest of the solution is "free"? If its been more than a couple years since the last outbreak, it seems to be more difficult to get security funding. :(

I heard a report from another company that they've been having their employees receive viruses sent through their LCS server. Its not a hypothetical problem anymore. I'm not one of these poeple who think that security comes first, then security, then security, then security, then security, then cost then security then convenience. Security needs to be in balence with cost, convenience and the potential threat. I think in the case of instant messenging the threat is no longer academic. The threat spread itself across several companies this week. Time to consider antivirus part of the cost of a communication system.

http://www.eweek.com/article2/0,1759,1756636,00.asp?kc=EWRSS03119TX1K0000594

Did you see this article "New Virus Attack Technique Bypasses Filters"? (1/31/2005 in eWeek)

I'd really like to know what antivirus venders were so incompetent that they couldn't scan inside of the rar compressed format.

Was this caused by people not scanning all files?
Was it the usual case of virus defs being a reactive protection measure?
Was the antivirus software unable to look inside the rar format?

Is it really new for viruses to be inside rar file? I could have sworn mydoom was doing that back when antivirus vendors failed to protect us from password protected zips.

If you you must take action each time the enemy thinks of a new attack, you're AV solutions obsolete.

The antivirus cartel really has quite a racket going. They sell an antivirus solution that doesn't solve anything. Rather than fixing this in the next version, they introduce the ability to ban file types at will. For some reason this is seen as a really good idea. Its really easy to ban SCR, PIF and REG file extensions. If InfoSec Professionals did a survey of their mail they would find 100% of messages with those attachment types were really viruses. That sort of review would justify blocking by attachment. Unfortunately, its never a review of that nature is never performed. Attachment types are just blocked because viruses come in with that extension.

I feel like I've played this game before. Four or five years ago, antivirus was such a hog, and computers so wimpy that the AV vendors encouraged us to scan specific file types only. The list would grow every month of what needed to be scanned. Lord help you if you missed adding SHS to the file type list and a virus came out using that attachment.

Its a game of file attachment blocking escalation that we lost before, pretty much everyone scans all files now. For file blocking, I think the checkmate came last July when viruses started being sent in password protected zips. How many places are able to blocks zips? If you block zips, what is next, doc, pdf, ppt? (virus file inside the ppt file. It should be coming soon).

Instead of being satisfied cutting out more and more user functionality and thinking this is normal for security, why not fix the antivirus system. A high degree of heuristics can work at the SMTP layer. Message Labs does a good job of this. Or you can beef up how often your antivirus is updated at SMTP layer. I believe Postini checks for updates every 5 minutes If you are stuck with Symantec, look into using beta defs on your mail gateway. You need earlier protection than waiting for Symantec. Use multiple scan engines like Sybari, preferably including one like Kaspersky or F-Secure or Sophos that updates often.

Blocking file types just gives a false sense of security. It is a solution from the 90s. Its time for something better.

An interesting aritcle by John Leyden over in the Register today forecasting the death of the mass mailing virus.

The article is based on an interview with Kevin Hogan a Symantec Europe manager. He notes that as the purpose of the virus has changed, so has the delivery method. The method of viruses used to be to get noticed. Now they are used to make money. As a result, you dont want a mass mailing virus that will be quickly noticed and put down.

Traditionally HTTP exploits have been rather mild. When an exploit site is set up and spammed to millions it can quickly be taken off line. Its also relatively easy to add to a block list such as the one provided via Websense.

The Bofra worm acts as a sort of HTTP worm. When it infects a system it harvests email addresses then sets up an HTTP server on a random port. (Although one write up of one variant I saw mentioned TCP 1639). The recipients of the email trusting enough to follow unsolicited links from random people are taken to the exploit website on the infected machine.

Because each new infected machine is a potential infecter it is much more difficult to handle than traditional HTTP viruses. The other bad news is the Iframe Internet Explorer exploit isn't going to be stopped by antivirus since the exploit occurs without writing a file to disk.

The good news is that proper egress filtering can prevent this sort of activity. The bad news is the masses aren't sitting behind a firewall( personal or otherwise). Particularly one with outbound filtering.

Over at Rod Trent's blog today he posted regarding a comment by someone he knows at a Fortune 500 company who felt they didn't need antivirus. Antivirus just slows the machine down. And this guy had never gotten a virus before so why worry about it in the future.

We live in a community. Our actions effect other people. Sometimes we must place restrictions on ourselves in order to make things better for other people. We dont always get to do exactly what we want. Antivirus is part of that. Antivirus isn't for the advanced user. I've never seen a virus detection either (other than those I intentionally had for testint or so-called hacking tools). But I still have AV because to do otherwise is simply not prudent.

Its kind of ironic to hear this thesis offered. It would seem that over the past few years we've learned hard lessons about the hard and crunch firewall and the soft center of a corporate network. The worms dont come through the steel re-enforced front door. Rather they come in the window or the side door that wasn't even installed. People have a new sneakernet today. They take the laptop home, get it infected and walk it into work. They use a "secure" encrypted tunnel to logon from home and upload viruses. They use the universal firewall traversal port (Port 80) to download viruses while at work. Most companies are looking to add more and more scanning (eg. anti spyware, http layer antivirus, etc). They wouldn't even consider less. Being behind a corporate firewall doesn't offer the level of protection that allows the removal of antivirus software.

There are legal ramifications too. Remember the TJ Hooper Tugboat case? You can be sued for not following computer security best practices and that negligence damages someone else. Antivirus software is universally accepted at the top of the list of best practices right after patching. Your company likely requires that all files be scanned with antivirus before being delivered to a customer. Most companies require antivirus be installed on systems connected to their network. Are you going to lose your job for the sake of your petulant stance against antivirus?

The question has been asked, if properly secured is antivirus necessary? Are you able to keep up with paching AIM, Real Player, Adobe, Winamp, on top of all the windows patches. Even without Internet Explorer. And even if you install a personal firewall there are still ways in via exploits.

You could really follow best practice, and not use an administrator account to do anything. You could restrict access to the run key to prevent installation. You could lock it down tight and be safe. But is that a trade off you're willing to accept? The desire to avoid the tyranney of antivirus would seem to not accept any security shackles.

Is it possible for an individual to get by without antivirus? Sure. Is it a good idea for a company? Dont think so. Perhaps if the Cisco Security Agent (a HIPS product) were installed.

iDefense announced today a vulnerability in AOL Instant Messenger. It seems there is a buffer overflow in the Away Message feature which at best will cause a denial of service condition, at worst will allow an attacker to run code of their choice.

Since AIM hooks the browser allowing the user to use aim:// commands like http:// commands, this is exploitable by links you might follow and by remote websites.

When an I.T department loses control of its computers often the first sign is personal use IM clients showing up. Many companies dont have the fortitude to fight that battle. Now as a result there is the potential for a network worm exploiting this vulnerability.

A new version of bagel came out today, and whether it was a result of heavy seeding or the virus had actually spread, we got a lot of copies of it. The first copy of it was detected at 11:54 am although I didn't notice until about an hour later.

Fortuantely the virus was caught by Message Labs. The virus writer was using a javascript exploit that several AV venders were already detecting (you'd think they'd scan these things before releasing them).

There are several lessons to be learned from this. They are the same lessons that aren't learned each time a virus comes out. The additctive virus definition update model doesn't work all that well. If you are going to use it, you are better off using several vendors. While CA and McAfee could detect this virus with no updates, other vendors didn't have an update available for more than 3 hours. By using several layers with a different vendor at each layer, you have a good chance of catching new viruses. If you dont have effective email antivirus, you need to cripple your own systems, pretty much reducing email to text only in order to avoid virus infection.

Symantec Platinum support is an outrageous expense. On a recent renewal we found that the software cost $20k and platinum support was aroung $12k. What do you get for this 50% premium?

• Tech support agents who actually know something about the product and have reasonable access engineers to actually get problems solved.
  
• Reduced wait times on hold.
  
• The ability to access the current build of the product.
  
• 24/7 support instead of 12/5
  
• A special knowledge base.
  
• Customized Email, pager, and telephone alerts for virus notification.
  
• The brochure says something about special akamai live update servers. I wasn't aware of that was only for platinum people.
  
• Online Support Ticketing
  

It seems to me that just purchasing the product should entitle you to the best parts of that. Why have a special knowledge base for those with deep pockets. The knowledge base for platinum customers is better than the knowledgebase available to the gold tech support (either that the gold tech support doesn't know how to use a knowledge base search).

Purchasing the product should entitle you to the latest bug fixes. They shouldn't be held aside. If its in public release it should be available to gold customers as well as platinum.

Non-Gold customers should't have to wait on hold for 60minutes on a routine basis.

Over the years it has become more and more difficult to keep up with the virus naming schemes of various vendors. Blaster, Welchia, Wachovia, oh wait not that last one. And then you have the varient names. One companies aa varient is another companies ai and anothers ah. Its tough to keep track. You hear about a new virus alert and you just dont know if you've already got that one covered or not.

If you use one AV product enterprise wide, this probably isn't much of a problem for you until you try to converse about a virus with someone an acolyte of another antivirus product. However, if you're like me you have multiple antivirus companies at the various layers of your company. You even have multiple av engines in a single product like Sybari Antigen or Message Labs. This is where the nightmare starts.

Even over at secunia.com which appears to be trying to be a repository of this information they dont get it right. I go over there to see what's up with bagle.ai and they have it as being discovered today by Panda. What about yesterday with McAfee and Trend?

Has CVE really helped in the area of vulnerability tracking? I dont know. The Common Vulnerability and Exposures Datebase started by the Mitre Corporation keeps a list of standardized names and a vulnerability number for vulnerabilities. I think that's kind of database via third party we should have for virus naming schemes. However since many viruses are flash in the pan type events, we need these names fast. Some have suggested using a preordained naming scheme link they do with hurricanes. That still would not solve the varient problem.

I dont know what the ultimate solution is. I just wish someone would stop the madness.

Whenever there is a virus outbreak everyone is quick to blame the usual suspects. "Its Microsoft's fault. They shouldn't have bugs in their code," trumpet the Microsoft haters as they run for a microphone or schedule a press conference. "Its the dang users, they don't listen and they click on everything they see," laments the administrator. "Its societies fault for raising the kind of children who code viruses." "No wait its the University of Calgary's fault."

It seems its the fault of everything but the antivirus software itself. We need more antivirus they cry!! So updates go from monthly to weekly to daily to hourly. Hell, just stick in an IV and keep feeding me virus definitions non-stop.

Degrade our ability to use mail! That must be the solution to virus woes. Block all attachments. No, that's not enough, BLOCK HTML. Stop all messages containing the words "the, and a or of."

The viruses still aren't being stopped? We better stack one virus engine upon another. I've got it, we'll call it "Defense in Depth." We can start making analogies about "castle protection." And if anyone says that our plan is 15th century protection, we'll get medieval on their...oh sorry, I was just getting a bit carried away there.

Perhaps its time to look in a new direction. Antivirus software that stops viruses. Not stops virus if it has the current daily security patch necessary to stop the latest badness. Antivirus that stops the virus. You say it cant be done. That it is prone to false positive. It is done. And it is being done today at the email layer. Two companies have the temerity to WARRANTY their work. They are Message Labs and Avecho. Sure that requires outsourcing your mail. But Message Labs is worldwide with some major customers and some major redundancy built in. It is worth it to know that viruses aren't getting through the SMTP layer.

If only someone would build something similar for the desktop. I had high hopes for NOD32. But I've read it has some false positive problems . Perhaps one day vendors will hear the demand and bring about some innovation in the antivirus industry.

__

Note, some of these ideas were shaped by years of reading Rob Rosenberger over at vmyths and at kumite before that. And yes his post today at his site did inspire this entry.

Microsoft rumored to be interested in acquiring network associates

http://www.broadbandreports.com/shownews/46417

http://www.securitypipeline.com/news/22101181

Network Associates is for sale, and Microsoft is rumored to be the buyer.
The maker of McAfee antivirus and security products has not made it public, but a "for sale" sign figuratively hangs from Network Associates' front door, according to Wall Street sources and channel partners.
A public announcement concerning either the pending or closed sale of the company to a buyer could come as early as July 1 when Network Associates also plans to announce layoffs associated with the company's for-sale status, these sources said.
After initially declining to comment, Network Associates spokesperson Jennifer Keavney said Tuesday the company was "not considering offers from Microsoft or any other company at this time." She did say however that the company would "need to legally consider offers that benefit its owners, the shareholders of Network Associates."

Alternative Data Streams (ADSes) are a substructure to NTFS. These "streams" are not visible to the Windows file system and thus can be used to hide malicious code. A couple of years ago there was great wringing of hands over the inability of antivirus vendors to detect files hidden inside ADSes. It seems that this has not been rectified.

In the June issue of Information Security Mag, Ed Skoudis compares several antivirus products. When testing these hidden streams, he found that most antvirus vendors are still lacking.

Aware of the threat, but not really educated yet, I searched further. I found a Computerwold article posted to the Symantec site. It said that
1. Alternate Data Streams cannot be removed from a file. The original file will need to be deleted.
2. Windows File Protection introduced in Windows 2000 cannot prevent hackers from adding an ADS with hidden executable code to a system file.
3. Users without "write" permissions to a file cannot add an ADS.

I also found a really cool GIAC paper by Jeff Garrett. In the paper Jeff demonstrates how to use netcat in a ADS to avoid detection by an administrator. Very cool stuff!!

It looks like for now this is more evidence for the need to not perform day to day computer tasks as the administrator. Furthermore it may be a good idea to check on whether your antivirus company scans ADSes.

http://www.f-secure.com/v-descs/montp.shtml
Montp.f is actually a rather clever virus.

When you connect into your bank or use webmail you are likely making a secure connection using SSL. You'll notice a little "lock" icon down in the system tray and a https:// prefix up in the address field. That means that the traffic between you and them is encrypted so that no one can eavesdrop on it.

What you probably didn't know is there are troubleshooting tools to allow you to see the traffic going by anyway. One way to do this is to set a couple of registry keys, and install a dll. Immediately you'll start collecting a clear text log file containing all of the traffic.

This virus does something very similar. But once it collects the data, its not trying to help you. Of course not. It searches the collected data to see if you went to one of 74 bank websites along with some other websites that have passwords. If you have been to one of those sites it collects the relevant login information and sends that information to the author via the Internet.

That's where this virus isn't as clever. Attempting to upload to a static IP address is not going to work. Sites like these usually get shut down rather quickly.

The virus also attempts to kill processes for security related software (antivirus).

All in all, you've got to hand it to them for this one. Two thumbs up for the information collection feature. They've got to work on a better way to get the information back to themselves without being caught. I've got a few ideas on the subject. :)

W32.Korgo.A is a worm that attempts to exploit Microsoft LSASS Windows vulnerability, described in Microsoft Security Bulletin MS04-011.

At a certain point all of these worms going after one vulnerability gets kind of old. Its kind of like shooting ducks in a barrel isn't it? Anyone still not patched kind of deserves what they get if they ignored the first worm.

http://www.symantec.com/avcenter/venc/data/w32.korgo.a.html

Microsoft has provided an antivirus defense in depth guide. http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en

I don't quite understand why they choose to make documents available via MSI. Do I really need to get yet another item in my start menu just to read a pdf? The first thing I note after installing the document is that the pdf is 666 KB. Apparently this antivirus document is of the devil.

This is a long document that begins with a brief definition and history of viruses, and moves on to many best practices that should be implemented. It is well worth a read.

We do it all the time. We dont want to take the time to close all of the applications, shut down the system and have to wait for it to boot when they get into the office. So we use standby or hybernate to save some time. What kind of security problems could this cause?

The first item of concern is that users aren't running the login scripts of their corporate domains. Many companies use a login script to deploy patches and antivirus, or just to gather information about what is out there.

Secondly, when systems are put into standby or hibernate, the programs they are running at that time, continue to run when the system is resumed. Most viruses write themselves to hard drive and configure the system to launch the virus at each boot. But I cant help but think about SQLSlammer. Viruses that stay memory resident are tough for antivirus to detect. If you suspend, the virus is being walked right into the network. If you had shut down the system, a virus like slammer would no longer be a problem.

The traditional model of antivirus management on the SMTP gateway overloads the average users mailbox with unnecessary and confusing messages.

Originally, virus laden email were otherwise legitimate messages that just happened to contain a macro virus in a word document or something similar. It was desired therefor to clean the virus from the message and ensure delivery of the non-viral content. At the same time it was important to notify the sender of their virus infection so they could get the problem rectified.

The problem with this approach is obvious today. Viruses today have moved beyond the simple macro virus. Instead they are self-generating and contain no redeeming content that the user would want to see. The problem first manifested itself in unnecessary calls to the help-desk. The user would be worried that they received a message with the "subject" and the "from" line that we warned them about!!! Of course, if they had opened the message they would see that the attachment had been removed by the anti-virus software. Messages like this really waste the end users time and also the time of the help-desk. The problem came to a head with swen.a as some unlucky user accounts received thousands to 10s of thousands of virus messages, all appropriately defanged by the anti-virus software. This was basically a denial of service attack that could have been prevented if the anti-virus software ate the offending message.

The other side of the problem is the forged sender problem. Most email worms pick random return addresses. Antivirus systems that follow the old model and send a warning back to the supposed sender are generally going to be bothering an innocent party.

So what do you do about it? You dont want to participate in harassing innocent third parties, yet you dont want to harass your own employees. Common sense says you shouldn't drop email messages down a rabbit hole. The compromise position is, if a message contains a virus do not deliver to the employee. If the virus is a network worm, then there is no need to tell the sender or recipient about the problem (there is no legitimate content). If the virus is not a network worm, then it is ok to tell the sender that their message was not delivered and why (we blocked it because it contains virus x in file y). This is a simple matter of adding a flag in the virus definition to describe which viruses are email worms. Many vendors have that now, and others are moving toward that model.

This will help cut down on the completely unnecessary mail traffic associated with many email viruses. Unfortunately, this will not stop the problem completely as not everyone will be running a good anti-virus product. Users will still receive email bounces (no such email address), and notifications for file removal for mail that they did not send. Until SMTP messages are secured in some manner (look into SPF) there isn't anything that can be done on that part of the problem.

Not all antivirus companies respond to new threads, and put out new definitions with equal allacrity. With a network worm like Sasser, it isn't quite as important to have the new definition quickly because you aren't preventing exploitation. Rather you are helping clean up after the fact, and if you are incredibly fortunate, preventing future infection.

A German site, took note of the virus definition release times for several prominant antivirus firms.

This link may work otherwise the content is below. (translated from german) http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=de_en&url=http%3a%2f%2fwww.pcwelt.de%2fnews%2fviren_bugs%2f39734%2findex.html
Note, I've used babelfish to translate from german to english, so this may sound like engrish.

Win32/Sasser.A: So fast the AV manufacturers reacted

Most anti-virus manufacturers reacted quite fast to the new threat. Only the Ikarus virus utilities could recognize the Win32/Sasser-Wurm by heuristic also without updates. The response times of the other offerers find you in the table (all data in Central European summer time).

RAV 2004-05-01 - 07:35
Dr. Web 2004-05-01 - 07:45
F-Prot 2004-05-01 - 08:00
Bitdefender 2004-05-01 - 08:30
F-Secure 2004-05-01 - 08:35
Sophos 2004-05-01 - 08:55
AntiVir 2004-05-01 - 09:35
Avast 2004-05-01 - 09:45
Norman 2004-05-01 - 11:15
Trend Micro 2004-05-01 - 11:25
Panda 2004-05-01 - 11:55
Quickheal 2004-05-01 - 12:05
Symantec 2004-05-01 - 12:05
AVG 2004-05-01 - 13:15
InoculateIT VET 2004-05-01 - 13:35
ClamAV 2004-05-01 - 15:05
InoculateIT CA 2004-05-01 - 15:05
COMMAND 2004-05-01 - 17:05
Virusbuster 2004-05-01 - 17:10
Fortinet 2004-05-01 - 17:45
McAfee 2004-05-01 - 18:45
Kaspersky 2004-05-01 - 19:10
Esafe 2004-05-01 - 19:55

McAfee (BETA) 2004-05-01 - 05:20
Symantec (BETA) 2004-05-01 - 06:35
F-Secure (BETA) 2004-05-01 - 08:15
Trend Micro (BETA) 2004-05-01 - 11:25
Panda (BETA) 2004-05-01 - 11:35

What I see from these numbers is that McAfee and Symantec beat everyone if you include what they call beta defs. I suspect that the smaller companies put out defs, to get them out the door and the later released further updates to get it right. Symantec and McAfee dont have that luxury. They need their update to work across multiple platforms/products and be right the first time (although they often miss that goal).

The Dabber worm attempts to exploit the buffer overflow in the ftp server left by the Sasser worm.

The SANS Internet Storm Center has reported it to be in the wild. It was first reported by http://www.lurhq.com/dabber.html

Fortunately Sasser turned out to not be such a big deal for most companies. After these major incidents, I think it is important to take a look back to assess what worked well, what didn't work and whether we dodged a bullet through luck or skill.

1. Patches Patches Patches Patches
Companies that stayed up to date on patches were more likely to stay out of trouble with sasser. The April 2004 patches were more problematic than most patches for the past year. Some companies held off patching due to reports of bad experiences. With nothing else in place, that left them vulnerable.

2. Personal Firewalls cover a multitude of sins
If a personal firewall is in place, it can block access to these worms. This allows the administrator to take more time to test the patches and role it out in a gradual measured fashion. That is always preferable to the chinese firedrill that can occur at outbreak time.

3. Know they network. How will you know when you are infected? If your answer is when the routers get knocked offline, the servers yo-yo and the helpdesk line is ringing off the hook, you are in deep trouble.
Host based IDS and Network IDS along with honeypots and centralized logging are all ideas that could provide insight into the corporate network.

4. Plan now for what needs to happen in a virus emergency.
Rod Trent of myitforum.com had a good question recently. Are you the single point of failure in your enterprise patch management or your enterprise security?

It seems like every time I go on vacation or even attend a conference there is a major virus incident of some type. If you are the single point of failure, you need to document what you do in case of virus outbreak, you need to communicate that documentation to others.

5. Education
I dont think education is the cureall of security vulnerabilities. But I'm not willing to abandon it all together. Most people want to do the right thing. If you tell them what that is, and it isn't too much of a hastle for them, they might actually follow the policy. I think that one thing that helped in this sasser incident was the amount of press coverage it received. That caused a few users who otherwise might have connected their laptop to the network to instead contact the help desk.

To summarize, a secure network is so much more than keeping the antivirus up to date, and posting a security policy on the company intranet.

A buffer overflow has been discovered in the FTP server used by the sasser worm. An infected computer sets up a FTP server on an obscure port so the machines it attacks will connect back on that port. This port is what is vulnerable to a buffer overflow.

The F-Secure weblog points out that this is a bit of overkill since a machine infected with Sasser is likely still vulnerable to the LSASS exploit anyway. So its not clear if this is just a point of amusement, or if there really is a large segment of machines that got patched but were already infected.

This may be part of the ongoing snipeing between the netsky writer or writers and mydoom.

An 18 year old German student has admited to creating the sasser worm. Right now it isn't know how he was caught or if he is responsbile for every varient of the worm. Some virus experts have postulated that the sasser worm author was also responsible for the netsky worm. I find it likely that he only borrowed their code.

While it is cool they grabbed this kid so quickly, I do not agree with the antivirus experts who predict this will slow down further worm development. The dumb high school punk worm writting contingent wont be phased by this recent arrest. Also the people who actually know anything have removed themselves from exposure to authorities and are unlikely to be discovered. Remember the big arrest related to blaster? It turned out to be a punk kid who released a worm that didn't get widespread circulation. He was so sloppy, he was practically picked up before the worm was in circulation.

- update -
In this AP article http://apnews.myway.com/article/20040508/D82ELAKG0.html the police report that this guy did do all 4 varients of sasser and also did netsky.a (likely all the netskys).

Looks like he talked too much and was nabbed by someone wanting the Microsoft virus writters bounty.