Antivirus: March 2006 Archives

Nice Trick

F-Secure's blog reports on a use of rapid polymorphism in the latest bagel.

By Roger on March 30, 2006 3:44 PM | | Comments (0) | TrackBacks (0)

Is it Tax Time Already?

I notice in the inbound email today a bunch of email with the following characteristics:
Envelope From: root@localhost.localdomain (may be gathered from sender computer as well)
Display From: service@IRS.GOV
Subject: receive a tax refund of 63.80
Virus: LinkAliasPostcard (I believe that means its a link to exploit code)

By Roger on March 25, 2006 8:20 PM | | Comments (0) | TrackBacks (0)

F-Secure Sanctimony

F-Secure blog writer Sean gives it to Microsoft with both barrels for daring to do research on rootkits.

First he blasts them for doing research into how an attacker might build a better rootkit.

Next he blasts them because in 1993 someone did that with a floppy.

I cant believe that someone at an antivirus company is blasting someone else for doing research into the dark arts. If my antivirus company failed to do research in to the dark arts, they would be in constant reaction mode. I'd prefer that they my AV company think of ways to 0wn my computer and then protect me from it. Otherwise, they are just taking my money and sitting on their thumb waiting for an attack. The attack of course would allow them to sell more product.

F-Secure is a cutting edge AV company. I dont think they sit around waiting for the bad guys to innovate first. So I dont know why Sean at F-Secure would blast Microsoft for doing this research. He compares it to research into Nuclear Fission.

By Roger on March 16, 2006 7:06 PM | | Comments (0) | TrackBacks (0)

McAfee w95/CTX False Positive

McAfee had a major false positive on Friday that effected a lot of applications.

I've see reports that effected aplications include:
Microsoft Excel 2000
Macromedia Flash Player 7
Oracle J-Initiator Client
Oracle Client Applications
Borland Database Engine Drivers
Sun Java Runtime Environment v2
ADP Payroll Applications
CA UniCenter Applications
ProComm Plus
And Many More...

McAfee is reporting the most common false positives are:
usersid.exe Windows XP file
imjpinst.exe Windows XP file
ecenter.exe Dell file
ntfstype.exe Utility
adobeupdatemanager.exe Adobe Update Manager
gtb2k1033.exe Google Toolbar Installer
43gcjvgahnu44.ths Macromedia Flash Player 7.0 r19
excel.exe Microsoft Excel
graph.exe Microsoft Excel

If the files are in quarantine, you can restore them after updating to a later virus definition. If you've let McAfee delete them, you need system restore or backups.

By Roger on March 11, 2006 8:30 PM | | Comments (1) | TrackBacks (0)

McAfee False Positive part 2

According to the SANS Internet Storm Center diary, there was a false positive in McAfee defs on Friday. They asked a couple of questions that I thought were worth a blog entry.

How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
We use Symantec Antivirus in our environment. It sends an email alert to the antivirus administrator about each virus alert. The antivirus administrator should be able to make a decision based on his/her experience, the directory and filename of the reported file, and the number of reports.

Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
The ability to rollback virus definitions is built into the management platform for Symantec (Symantec System Center). Failing that backdating would have to be done by hand or through a script run on each cleint.

The antivirus companies have us addicted to updates. We need the fix. We're Jonesing for the fix. Every once in a while the we get a bad fix that nearly takes us out. In the past month Kaspersky has killed Exchange servers running Sybari. Microsoft Antispyware has uninstalled Symantec antivirus. And now this. (I think I"m forgetting a smaller incident Sophos had). Something is rotten in the state of antivirus.

By Roger on March 11, 2006 8:45 AM | | Comments (0) | TrackBacks (0)

SAV 10 Trouble

We've got some problems today caused by an install of Symantec Antivirus version 10. On some Windows 2000 systems after installing Symantec Antivirus 10, the SMS client agent would no longer run. Investigation showed that WMI was possibly corrupt. We're still looking into this problem. Thus far I haven't found a way to fix it.

By Roger on March 9, 2006 4:45 PM | | Comments (0) | TrackBacks (0)

Virus Def Update Speed

F-Secure has a little flash video used to illustrate the difference in update speed between F-Secure and several competitors.

By Roger on March 6, 2006 3:17 PM | | Comments (0) | TrackBacks (0)
« Antivirus: February 2006 | Main Index | Archives | Antivirus: April 2006 »

Search