Antivirus: June 2005 Archives

SAV 10- What's New

The SAV Installation Guide (savinst.pdf in the docs directory or check the support site) lists what is new in this release.

Security Risk Detection and Removal
This is Symantec's code for spyware, adware and assorted security risks. In this version Symantec can now detect spyware via autoprotect. This is an important improvement from SAV 9 which could only scan for this stuff during manual and scheduled scans.

We also now have the ability to have exception lists. Unfortunately rather than being able to add an EXE to ignore, we must ignore the entire spyware detection. Usually this is ok. For example with SAV 9, I have users who are constantly getting a virus detection for aports or Radmin. If I determine that is ok, then I would just whitelist it and never be bothered again.

Quickscan
Taking a page from the anti-spyware vendors, Symantec now has a quickscan that checks common hooks in the operating systems using by viruses and crap ware to autostart.

By default, the quickscan runs at every boot. Some people are finding this uses a lot of resources at logon. You can disable this behavior with a .reg file you can find at the Symantec support site.

You can run a quickscan at the beginning of a full system scan also if so desired.

Kill Kill Kill
No, that's not the voices in your head. Symantec now has the ability to kill processes or stop services. So all those times, Symantec couldn't remove a file because it was a currently running process...that's in the past. This sounds like a huge improvement.

Tamper Protection
We've all seen it. When a virus slips by an antivirus product, the first thing it does is disable the antivirus. Or perhaps it wasn't a virus, just a user deciding they didn't need to conform to company policy so they figure out how to disable it. Tamper Protection watch for this sort of thing.

The problem with Tamper Protection is that it cannot be used if you have any other real time security software. There are also reports of SMS causing many alerts.

I think the manual also says that Tamper Protection will remove the ability of non-administrative users to run liveupdate (assuming you allow anyone to manually run live update in your environment).

Test it in your environment, but it sounds to me like this is not ready for prime time.

Role Based Accounts
Instead of having one password giving access to the SSC, you can now create role based accounts to provide read only, administrator, Central Quarantine and gateway security accounts.

These are separate accounts and cannot use Active Directory accounts.

SSL
SSL is now used to secure the communications between management consoles (SSC), the parent server, and the clients.

This adds some complexity for disaster recovery and server migration. Make sure you read the manual on this area.

Alternative Data Streams
Now supports scanning for viruses in alternate data streams. I dont know of any viruses using this. But the virus researchers have been agitating for vendors to add support for this.

64 bit amd support
We've been waiting for this. I dont think we've installed it yet so I cant comment. I did see in the readme that updates are through liveupdate only, no VDTM.

IPXSPX Support is gone

Other
I notice that under server tuning, you need to check a bot to support downlevel clients.

I have only installed the server. Not having installed it on the clients yet, I cannot review the product. Just passing on a few notes from what I've seen and read thus far. Looks l like a solid step forward. McAfee still seems to be better about stopping web exploits and I dont see anything in this release that will change that.

By Roger on June 21, 2005 10:35 AM |

Finally I get SAV 10

Not sure why Symantec felt the need to mail out a new download code to allow me to download Symantec Antivirus version 10. It would seem to me to be better to just allow my current download code to access it. Both codes are valid through our current license period.

Looks like I've got some testing to do. Just happy to finally have SAV 10 in hand.

By Roger on June 16, 2005 6:36 PM |

Symantec new site preview

Symantec's got a new site preview up http://preview.symantec.com/index.jsp

The Security Response site is going to take some getting used to. Interestingly there is an activex object you can run to run live update. I still dont see anything l like what mcafee has where you can go to a page and it will tell you if you are up to date or not.

By Roger on June 12, 2005 12:40 PM |

So you've got a virus

So you've got a virus. Lets skip the recrimination and determine what can be done about it.

Step 1
Check with your Antivirus Vendors latest virus writeups to see if you can identify what your are infected with.

Step 1B Check other vendor's sites.
http://www.symantec.com/avcenter
http://vil.nai.com
Trend Micro

If you can determine what you are infected with, they should have cleaning instructions, probably a manual cleaning process, but they may have a cleaning utility.

Step 2
Its a new virus. You couldn't determine what it was much less how to clean it. Looks like its time for some reconnaissance.

This is where knowing what should automatically run with your system comes in handy. We need to check what starts automatically on your system. The most obvious vanilla place a virus could be is in the run key in the registry. Open regedit and look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If you know your system, you may recognize something that should not be there.

Of course there are many other places something could start automatically. Spyware is more likely than a virus to hide someplace else, but you never know. You can download "autoruns" from sysinternals to look at other places where something might start automatically.

Step 3.
If you see something out of the ordinary set to be run automatically write down where an what it is. You can use google to lookup unknown files to determine if they are legit. If you cannot determine the validity of a file, upload it to www.virustotal.com. It will be scanned with multiple virus scanners and report back to you.

Step 4
If virustotal determines it is a virus, you need to figure out why your antivirus didn't detect it. Is your antivirus disabled? Some viruses disable antivirus software. Is your antivirus software getting updates? It may be broken or the virus may have disabled the ability of your software to update. If you have the latest available virus def from your antivirus company and it cannot detect the file that virustotal reports is a virus, then you need to submit it to your antivirus company. Each antivirus company has a different method for this. Note that virustotal says that it submits the files to antivirus companies, but I like to do it also so I get feedback from the antivirus company. Often they make a pre-release version of their virus definition files available so that the file can be deleted.

If you figure out a name for the virus (either from virustotal or from submitting the file to your antivirus vendor) this can be used to successfully find the virus definition writeup which will hopefully have complete removal instructions. Often virus encyclopedias are only indexed by virus name making it difficult to search for text from the viral message.

By Roger on June 12, 2005 12:00 AM |
« Antivirus: May 2005 | Main Index | Archives | Antivirus: July 2005 »

Search