Antivirus: August 2005 Archives
I'd be interested in seeing who owns what percentage of the outsourced email security $$$. McAfee reselling Postini is validation of outsourced email scanning.
I'm seeing some files named rechnung.pdf.exe detected as Troj/Downloader.gen!5564. Its probably the typical spammed virus often occurs on weekends.
I uninstalled SAV 10, and ran the SAV 9 version of no nav to get rid of any other odd remnants. I'd already run the windows installer cleanup utility. After a reboot and a new install, SAV 10 is working fine now. I'm running a "quick" scan. Its using 87 MB of ram. :0 Hopefully that does down once the scan is done. I have found on other systems SAV 10 seems to gobble up 30-35 MB.
I tried an upgrade on my desktop this evening to Symantec Antivirus Corporate Edition version 10.0.1.1000. The computer went into a perpetual reboot loop.
The errors I've dug out of the log dont really match anything. It could be the Adaptic Easy CD creater bug mentioned in the Symantec tech support site, or it could a kernel memory issue. I managed to stop the reboot loop by going into safe mode and disabling some SAV services. I think tomorrow I'll see if I can get a newer copy of nonav and remove all remnents of SAV from the system and try again.
Based on some discussion no the myitforum.com antivirus email list, I wanted to highlight a post I made back in january.
Apparently, I was wrong. Mydoom.a wasn't the deathknell of the file blocking crowd. People just added zip to the list of things to block and went on their merry way.
I really have to question that way of thinking. What happens when the next major virus exploits vulnerabilities in Adobe 7.0.1. Are you going to block pdf files until everyone is upgraded to Adobe 7.0.3? What happens when the next major virus is an exe embedded in a ppt file. Are you going to ban powerpoint. What happens when the next virus is in an image? Most of the major image types have had vulnerabilities lately.
Before you ban everything but text, I think its time to reexamine the true cost of a decent antivirus mail gateway. Perhaps esafe, messagelabs, postini, and Sybari should be considered over what you have been using.
We left a Trend Micro mailgateway for Message Labs and the difference is astounding. Rather than reacting to every new virus, I am totally confident that Message Labs will stop it before I even know its in the wild. And just because they are nice guys, they'll let the other AV vendors know about it so they can stop it too.
Symantec has reported a privilege escalation vulnerability in Symantec Antivirus 9, 9.0.1, and 9.0.2 as well as Symantec Client Security 2.0, 2.0.1, 2.0.2. The solution is to upgrade to MR3 or later.
Symantec is offering a free introduction to its new "Virtual Academy." As part of that you can take part a free three hour session online. For more info or to sign up, visit http://www.symantec.com/education/testdrive
This test drive module explains and demonstrates methods of updating virus definitions, gives the background of scanning technologies, and leads you through effective configuration of the Symantec AntiVirus Corporate Edition 10.0 scanning components. Scanning details include a synopsis of how to handle a virus outbreak in your network. Three hands-on labs are included, allowing you to practice skills learned.This course is designed for antivirus network managers, resellers, systems administrators, client security administrators, or systems professionals and consultants charged with the installation, configuration and day-to-day management of Symantec AntiVirus Corporate Edition for Client & Server in a variety of network environments, and are responsible for troubleshooting and for tuning the performance of Symantec AntiVirus Corporate Edition in the enterprise environment.
There is currently one timeslot left and it has 41 seats available. Move fast if you are interested.
This in from the SANS ISC
McAfee released information as well: W32/IRCbot.wormThis is an IRC bot worm, and will scan for TCP port 445, and for file shares. McAfee reports in it's bulletin that systems not patched for MS05-039 will continually reboot. (emphesis added)
Actually they may do us a favor. If a tree falls in the woods and no one hears it does anyone care? To put it another way, if a system gets infected with zotob and no one knows it does anyone care? You can probably ignore zotob, just as people are ignorant of their botnet infections. You cannot however ignore your computer constantly rebooting. You'll scream to high heaven about that. That will result it you being able to clean, and having more leverage in patching (though it is already too late for that).
I'm getting virus laden emails detected as exploit-dcomrpc.g.gen. Could be zotob.C???
FileNames:
funny.doc=R49.scr
job.doc=r49.scr
$recipientsEmail.txt=r49.pif
full.txt=r49.pif
So we had a computer report in that it was infected with w32.spybot.worm with a file c:\winnt\system32\winpnp.exe. Symantec has reported that systems with old virus defs may detect Zotob as that. What's funny though is the writeup doesn't currently mention a file named winpnp.exe. I did see over at the SANS Diary that when a system is exploited, this file is downloaded via ftp. Unfortunately that probably means the SAV Threat Monitor (that's probably the wrong name for it) wont record the IP address that infected it.
Still trying to track this system down. It was connected in via the VPN when I got the virus alerts and its offline before I can find it again. End Point compliance would be worth its weight in gold right now. We're reduced to putting a note on the users door to catch the computer when it comes in.
On Sunday we had an impromptu patching party to make sure that critical Windows 2000 Servers were patched. I also made sure Symantec's Antivirus defs were pushed out.
