Antivirus: February 2006 Archives

Bluecoat came out today to pitch their caching proxy with antivirus and url filtering. The antivirus piece is a single engine. You can pick from multiple vendors for an AV engine, but there will be only one. They are doing nothing that I can see to address the problem of zero day viruses and targeted viruses. Their comment is that multiple antivirus scan engines slow things down too much. That is not what scansafe.net's service claims. I think the Bluecoat solution would still let viruses through. Its probably better than what we have, but is the difference woth the change?

I just got off the phone with Symantec regarding their 64 bit Symantec Antivirus client.

The Symantec knowedge base article on the subject says that it cannot BE a parent server and as a client it cannot do VDTM. Silly me, that made me think that the 64 bit client could be managed. Support tells me they are still working on that and claimed that it would be like a SAV 9 server trying to manage a SAV 10 client. This is very aggrevating as we've been waiting for a SAV 10 server to be in production in order to deploy the x64 antivirus.

The other news from that call is that no patches are available for x64. I could not get them to commit to whether that software was vulnerable to the RAR vulnerability in 10.0.2 x86 architecture or not.

[update]: They just sent me a document on how to configure the SSC to managed x64 bit computers. Its just like I remembered. Disable vdtm. Schedule liveupdates direct to symantec.

I learned about this over in a thread over at BroadBandReports.com. It seems that if you go to the writeup for the new Macintosh worm Inqtana.a over at the Symantec (SARC) AVCenter you get a virus deteciton of OSX.Inqtana.A in that temporary internet file. This of course is a false positive.

I am using the 2/17 rev 18 virus definitions. 2/18 rev 5 is out and reportedly that solves the problem.

Message Labs January Intelligence Report is out. Its worth taking a look at.
http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/January_2006?CMP=EMC-MLI-REPORTS

Below is one graphic from the report. It shows that 7 vendors were able to stop Nyxem.e heuristically (Message Labs, ISS, Kaspersky, Panda, esafe, fortinet, mcafee, nod32). After that the minimum windows of vulnerability was 3.5 hours before the first non-heuristic virus detection was available. Symantec brought up the rear releasing an update 35 hours after the initial detections. 15 hours after the virus was in wide circulation.

This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about “scantime timeout” and when I checked I saw that no mail was being delivered anymore.

After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari’s scan jobs (once I could get into its admin gui) and updated kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.

While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.

Dave Aitel over at ImmunitySec has released exploit code for the Symantec RAR vulnerability which was announced in December. This code has been released only to customers of ImmunitySec only. This is a sign that it is possible to develop an exploit for this vulnerability. Not only that, if history is any indication, the super dupper bad guys probably already have it and have been using it in secret in targeted attacks.

[update] - I see this is old news, this actually occured on 2/6/2006, but Symantec Deepsight Alert Service only told me about it now.

Shameless self-promotion really irks me. For months now Duncan McAlynn has been getting the tech press to promote his forum at Boardfish.com. This trend continues in the Feb 2006 Information Security Magazine. Symantec pulled the plug on their bulletin board in December, and Boardfish apparently put out press releases about how it was the community replacement for Symantec's board. The two boards have something in common. No useful content. Symantec's board was an ok resource for people without support. It was an exercise in waiting weeks hoping the single Symantec employee on the board will respond. Rarely would anyone else both to help out. Boardfish on the other hand, people are more likely to be willing to help, but there just isn't that much traffic.

Boardfish promoted itself as the place for online Symantec antivirus discussion when it had only created a symantec forum moments earlier. It just urks me.

This reminds me of the Chernobyl virus in many ways. While the hysteria doesn't approach the level of that hystericane, we still have experts taking credit for their dire prediction not coming true.

"The importance of media attention from an awareness and educational standpoint has been a very good thing," said Marc Solomon, director of product management at security vendor management McAfee Inc. "It alerts users to what may have happened and the destruction that could have occurred."

It also sells product.