Antivirus: April 2005 Archives

SAV 10 KB

I've been reviewing the Symantec Antivirus Corporate Edition version 10 Knowledge Base and found some interesting things.

1. They recommend running a secondary server in each server group. Being a small install base I've never done that. It does sound like as long as I backup everything I should be ok.

2. "Because Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10.0 contain a realtime spyware scanning component, Symantec does not recommend running third-party realtime spyware scanning programs on the same computer." http://tinyurl.com/arxay

3. A new setting called tamper protection that can have problem if you run other antispyware products. http://tinyurl.com/8657m

By Roger on April 28, 2005 12:20 AM |

SAV 10 Maintenance Steps

What are routine maintenance steps should be performed on a Symantec Antivirus Environment?

1. Confirm that all clients appear correctly in Symantec System Center.
2. Confirm that virus definitions are propagating to all clients.
3. Empty local Quarantines and Central Quarantine.
4. Review logs for anomalies.
5. Use the Audit Network function in the Symantec System Center to confirm that all clients on the network have antivirus protection.
For help with this, read the document How to find unprotected computers on a network using the Audit Network feature in the Symantec System Center.
SAV DocID= 2005041311261648

By Roger on April 28, 2005 12:07 AM |

SAV 10 Manuals available

Symantec Anti-Virus manuals are available (assuming Symantec doesn't rejigger their website again this weekend)

The SAV 10 knowledgebase is also up.

By Roger on April 27, 2005 11:58 PM |

W32.Velkbot.a - IM Virus

W32.Velkbot.a when executed sends a message to all MSN Messenger, Yahoo Messenger, and AIM contacts on the compromised computer. The message is as follows:

"rofl
http://albound.com/pictures.php /r[email_address]"

The recipient must click on the link and download/execute the file to become infected.

Once infected you'll have %system%\winmsg.exe along with the usual run registry keys.

Additional bits of fun:
disables task manager and the regedit.
Connects to an irc server at afil.canadiangov.info and waits for commands.
They can do pretty much whatever they want at that point.

Links:
http://www.symantec.com/avcenter/venc/data/w32.velkbot.a.html

I can see how this is listed as high severity and high impact. But the contagion potential doesn't seem that high. It relies on one website that is likely shut down by now. If you are going to rely on a distribution mechanism that can be shut down hit your targets monday morning, not saturday night. During the week you'll get the office workers.

This virus is of concern because it is sending IMs to all buddy lists on the top three networks instead of just targeting MSN. Also the mesage likely comes from someone you know (strangers generally dont have me on their buddy list, and people can only contact me if they are already on my list).

By Roger on April 24, 2005 12:49 AM |

Emailing in the Stone Age

// sort of a rant today. sorry.

I was trying to send a professor a file. Blackboard (a web based classroom) had choked on the submission so the instructor had requested I email the file. Unfortunately zip files are not allowed by the university and the file was stripped. That makes me wonder if any files are allowed.

Its kind of ironic really. Up until blaster, if you mentioned firewalling the students, Universities would respond with a shout about academic freedom.
We must allow bobby and susie to run ftp server, web servers, p2p and everything else all from their dorm room. Its about learning. But what about the safety of everyone else on the internet, your university botnets are taking down ebay.

But the Universities did not care until it began to effect them. Now they block all the file attachments. Is this really a good solution? Blocking attachments is the sort of thing I would expect from Windows hating, text email advocating people. Oh right, just the sort of people you find in a University CS department.

Blocking email attachments takes away a large amount of usability. Its admitting the antivirus product you've selected sucks. Its admitting defeat. I.T departments shouldn't curtail the business use of email just because they cant control viruses effectively. There are solutions like Sybari or Message Labs that do a good job even with newer viruses. There may be other solutions besides removing a file such as renaming it or quarantining it in such a way that the user can retreive it.

The age of wholesale blocking of file types is over. This approach must be reconsidered. Otherwise the next virus will say "please rename the extension from ex_ to exe and then run the program" and the users will do it.

By Roger on April 20, 2005 7:39 PM |

New Mitglieder variants

FSecure posted today that more mitglieder variants have been sent out as spam. Not sure if that is what I'm seeing. Sounds like it though.
http://www.f-secure.com/weblog/#00000533

At my company I began seeing heuristic detections in our inbound email at 1:30pm eastern and lasted until 4:30pm. There were about 250 virus emails in that time period.

The file is 1.exe. Usually the message I get is about the actual viral code so that file is probably inside another file. There was not a single source IP address for the messages.

By Roger on April 16, 2005 5:43 PM |
« Antivirus: February 2005 | Main Index | Archives | Antivirus: May 2005 »

Search