Antivirus: September 2005 Archives
I was wondering why Symantec Antivirus Corporate Edition version 10 was showing 400 files scanned during a defwatch scan. This isn't the scheduled scan. In the past, a defwatch scan is a scan of the files in quarantine and the scan has not shown up in the Scan History.
I found a KB article That explains this:
After you update virus definitions, a Defwatch scan runs. In the Scan Histories view, the "Total files" column the Defwatch scan entry shows a number of files that is more than the number of files in quarantine.Solution:
This behavior is expected. In Symantec AntiVirus Corporate Edition 9.x or earlier, a Defwatch scan only scans the files that are in quarantine. In Symantec AntiVirus 10.x, the Defwatch scan also runs a Quick Scan. The Quick Scan scans any program files that are loaded into memory and common virus and security risk loading points.
Another nice improvement in SAV 10.
A lot of people are coming to this site looking for help for Symantec Antivirus Backdoor.Graybird detections on mc21.tmp or mc22.tmp. My post on my experience last Friday has been picked up by Google. Unfortunately they are linking to my main page instead of the article itself and that post is about to fall off the front page. (To be fair, blogsearch.google.com does have the correct link).
I have continued to see a few new detections of this at work. I need to check if those systems are up-to-date on their virus definitions. If they do have defs where this false positive is supposedly fixed, then there is still an issue.
By popular demand, I'm posting the email Symantec sent out last week. It is my belief that this information is considered public and not under any NDA. In other words Symantec please do not sue.
-----Original Message-----
> From: symalert@symantec.com [mailto:symalert@symantec.com]
> Sent: Friday, September 16, 2005 4:49 PM
> To: Me
> Subject: Unscheduled LiveUpdate definitions to be published in response to a FP
>
>
>
> Symantec Security Response will post LiveUpdate virus definitions today, September 16, 2005.
>
> This posting is to correct a false positive with Backdoor.Graybird detections.
>
> An additional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.
>
>
> ----------
> For additional information, visit our website at
> http://securityresponse.symantec.com
Back in Feburary, I wrote that Symantec Platinum customers were going to be getting access to a "Liveupdate Plus" server which would offer daily liveupdates.
Earlier this week Symantec announced that Liveupdate will now update on a daily basis on the "normal" liveupdate servers beginning September 24th. The catch is that this daily updates will be for SAV 10 clients only. I see this as good news that can only help mobile corporate clients that may not be able to get the VDTM update on a frequent basis.
I want to push SAV 10 out so I can take advantage of this. But its worth nothing that there are still advantages to VDTM in that you can set the client checkin frequency to more often than daily and also the updates are smaller.
Updating more often. When what you are doing isn't working, doing it faster probably isn't going to help. If faster virus defs are the solution, Symantec still has a ways to go. F-Secure had a record 11 updates one day this week. What ever happened to the Digital Immune System Symantec promised. Soon the virus defs will come so often, we'll just have a continuous update. An IV of virus definition files.
The long talked about Common Malware Enumeration initiative is set to get off the ground next month. It will be run by the Mitre Corporation (who also currently runs the CVE database). The purpose of this database is to make it easier for the media to hype up virus incidents and help buttruss the stock of antivirus companies.
While I am all for a more understandable virus incident report at the end of the month, does this really improve security? Personally, I just want the viruses stopped. I don't care what you call it. Perhaps that is the innovation antivirus companies should be focusing on.
edit - posting this from firefox. apparently the version I'm running doesn't have a spellchecker like Internet Explorer. I need to upgrade my Firefox. Its really vulnerable. I hear the later versions of Firefox should have a spell checker in it. So pardon the misspellings. I'll try to get back later and run a spell check.
I just attended a session on Better Threat Scanning with Symantec Antivirus version 10 at the Symantec Virtual Academy. They offered people the chance to sign up for free sessions to showcase the virtual classroom. It was a one hour session where as their normal class on this subject would run across three days . Normally each day would have a few hours of lecture in the morning and labwork in the afternoon. The session used Interwise software. I think the last time I used interwise it created an autorunning item in my systray.
http://www.f-secure.com/weblog/#00000655
Mikko Hypponen wrote: Bottom line: if your organization is still, in year 2005, accepting incoming executable attachments in email, now might be a good time to rethink your strategy. Because it looks like these guys won't be stopping any time soon.
Wow, two antivirus companies in one week waving the white flag. I always knew that they couldn't protect anyone from a new virus, but I never expected them to admit it. At some point about 7 years ago this would have resulted in shocked disillusionment amongst administrators. But now days it barely elicits a ripple. I would have expected people to storm the gates of F-Secure demanding a refund. Why pay tens of thousands of dollars in protection money if the anti-virus cartel can't get the job done?
So we have to participate in a chaotic file blocking scheme because it doesn't look like F-Secure will be able to stop these guys any time soon. Soon they'll just shut down email altogether in the morning from 8am to 10 am. That when most viruses come though know. :)
First they came for the scr files
and I did not speak out
because I did not email scr files.
Then they came for the vbs files
and I did not speak out
because I was did not get any vbs files (and I was jealous of everyone else and their loveletter.vbs).
Then they came for the zip files
and I did not speak out
because I could send my zip files via IM file transfer.
Then they came for doc, xls and pdf files
and there was no one left
business was so disrupted everyone just went out to the bar for a pint.
apologies to Pastor Martin Niemöller
Did you see the October issue of Information Security Magazine? (requires free subscription, or try bugmenot.com)
In it, they have an article 'Best Advice' which is a collection of advice from 24 security "luminaries" such as Mike Nash, Mikko Hypponen, Congressman Tom Davis (!), and Eugene Spafford. Eva Chen, CEO of Trend Micro,'s "best advice" is "you can't stop a virus." Well, pack it up, game over. Shut down the billion dollar antivirus industry. If it cant stop a virus, what is it good for?
Eva's explanation of that quote, makes even less sense. She says that most enterprise customers have boundary-less, interconnected supply chains running on one global TCP-IP network. That somehow those interconnections are more important than stopping the virus. It sounds like her only defense against the virus is to shut down the network.
I marvel at the antivirus industry. First you sell yourself on the ability to solve everything. So that computers (at least those running windows) cannot be considered "secure" without antivirus software. Next when the myth of antivirus software is broken, that is it cannot possibly push out virus definitions fast enough to get all viruses, they attempt to sell add-on functionality. What you really need isn't antivirus. Its antivirus and a personal firewall, and a host based IDS. Fix your broken antivirus software rather than selling me additional pieces. McAfee for example has added in some buffer overflow protection into their antivirus product. Why is no one else innovating?
I can't wait for the correction. E.g. "eva didn't really say you can't stop a virus. Her best advice was really risk management needs to be multifaceted."
If you've got Symantec Antivirus and you've got Webroot Spysweeper, than you probably have seen a Backdoor.Graybird detection today. This is a false positive. The files typically detected are in the temp director and named mc21.tmp or mc22.tmp in my experience.
I have called Symantec support, the next set of virus defs released should solve this problem. The current set of Rapid Release defs do fix this but I'd rather wait for "certified" definitions.
In what is a very timely article for me Ian Parsons does a bake off of Instant Messaging security products. And sadly that may be the last nice thing I say about the article.
The introduction just doesn't make sense. He starts out assuming that the reader thinks they have bigger security fish to fry. Better places to spend their money. And that is true in my case. I am wondering if the big money these people want for IM Security is worth it when at the end of the day (this is one time its ok to use that phrase because I mean it literally) the user will go home and use the same computer on their home network and potentially download viruses. Of course the same thing can happen with email and the same thing can happen with http. So why put money into IM Security instead of instituting a massive lockdown and reduction of rights. Or perhaps go with a HIPS product that can handle zero day attacks. The author never explains that. Instead he makes some weird connection between email, internal newsservers, discussion boards and IM. I dont get what his point was unless it is that any place where data is interchanged between users, you want to have a server or network layer of antivirus. And IM is a growing catagory of exploitation.
Ok, but enough with criticizing the intro, lets look at the evaluation itself. The first thing I noticed was the absence of IMlogic. Since they are the biggest name in IM Security I would expect to at least see a footnote stating IMLogic wouldn't provide eval software.
Next, he didn't really set out what he was trying to secure. Are we talking about public IM only? Are we talking about Entrerprise IM only or a mix of both?
Next, some of the applications included seemed kind of out of place. Akonix RougueAware seemed more like a monitor. Facetime and IMLogic both have free software that does the same thing and both of them do it better. Why not include them if you are going to include the monitor only software.
Gordano just sets up its own enterprise server. I would think if you wanted an enterprise server, you'd have gone with Sametime, Jabber or LCS.
The inclusion of Surfcontrol also seemed odd, as it was really a threat shield installed on the client. That seems like its a different catagory of product.
Facetime was the overall winner with a honorable mention of the Blue Coat Proxy. I've got Facetime coming in Thursday morning and I'm looking forward to learning how they would secure the IM environment (and at what cost).
As I was leaving work today, I glanced down at the blackberry and saw pages and pages of virus alerts. In outlook that is filtered to another folder so I dont see it. The virus alerts were coming once per minute from a file in the users temp internet files.
After going to dinner :) I came back and found that the file being detected was a running process. Since SAV versions earlier than 10 cant end the process, it just kept detecting it and being unable to do anything. I used pskill to take out the process and then used SAV to delete the file.
Interesting enough, this user is not a local administrator. However, she also was not added to the correct security group for our "managed user" group policy to apply so she was able to get this autorunning under her hkey_user etc etc windows current version run registry key.
The file was BubbleShotter15[1].com and it was detected as Backdoor.Sdbot. Only other thing on the system that was suspicious was Plaxo. I hate that program.
The MessageLabs Email Security System discovered a possible virus
or unauthorised code (such as a Trojan) in an email sent
to or from your organisation.
This email has now been quarantined and was not delivered.
To help identify the quarantined email:
The message sender was
keithr1@cox.net
The message originating IP was 216.146.101.151
The message recipients were
username@example.com (edited)
The message was titled (empty)
The message date was Mon, 12 Sep 2005 08:02:26 -0700
The message identifier was
The virus or unauthorised code identified in the email is:
>>> Possible Dropper 'W32/Generic-6192-4fb4' found in '3384956_3X_AZ-D_PA2__1.cpl'. Heuristics score: 679
>>> Possible Dropper 'Exploit/HackedPacker-PeX-BagleMod.dam' found in '3384956_7X_AxX_PA3__embedded.ex_'. Heuristics score: 800
I was talking with an IM vendor today. We've got a budget to implement IM antivirus this year as part of a LCS implementation. The Instant Messaging antivirus would protect LCS, AIM, Yahoo Msg, MSN Msg, ICQ and down the road Google Talk. The price he quoted, I'm pretty sure is more than we pay per desktop for our corporate antivirus. I'm all for layered protection, but this is getting kind of expensive.
I'm thinking two things, 1) http antivirus is more important than IM antivirus, so perhaps my money should be spent there. and 2) why spend money for gateway products. They dont travel with the user to protect them when they are on the road. Perhaps the money should be diverted into a HIPS product with a good track record with zero day worms.
