Antivirus: April 2006 Archives

The Microsoft Anti-Malware Engineering Team reports on their blog that they will be participating in virustotal.

For those that don't know, virustotal.com is a way cool website where you can scan a suspicious file against around 10 vendors. This might help you see what wacky name of the week one particular vendor is using for a virus. Also it might show you who doesn't have detection available. That's why a few AV vendors have declined to participate in virustotal. So I think its pretty cool that Microsoft is getting involved.

I'm seeing some Word documents being detected by the Kaspersky scan engine as Trojan-Dropper.MSWord.Lafool.g. I dont see a writeup of that on the Kaspersky site. The latest lafool varient currently written up is "f". None of the varients actually have much if any information in the writeup. Looks like I need to figure out how to submit this to support.

update: I checked the Kaspersky forums and found other people noting the same problem.

To report things like this to Kasperky, send the files in an password protected archive to "newvirus at kaspersky dot com" an write in the subject "possible false positives".

I found that they already had new virus definitions available the rectified the problem. I've downloaded them and tested the result.

I hate it when I see something, and my reaction is :meh: so I dont blog about it, but then a day later it gets blogged by others. I see the ISC has picked up the news that the Symantec Scan Engine has a couple of vulnerabilities. This has nothing to do with the corporate or consumer product that you use on your desktop. Rather is a server that you might use with the ICAP protocol to scan traffic, such as HTTP.

Symantec's writeup is here. Rapid7 discovered these vulnerabilities and has a writeup on their site as well.

http://notafanboy.blogspot.com/2006/04/kevins-discovery-of-latest-vundo-crap.html

Not sure what to make of this.

Protection against the zero day attack has been a buzzword in anti-malware software marketing. Its an important thing to have. You can't run a business while waiting multiple days for virus definitions to be released covering the latest attack.

Symantec Mail Security for SMTP 5.0 is an new email gateway solution that attempts to provide such protection. It combines Brightmail antispam technology with Symantec antivirus and content filtering.

http://www.securitypipeline.com/185303122?CID=rssfeed_pl_scp

One key new feature is zero-day protection against threats, which uses information on emerging exploits gathered from Symantec’s network of more than 3 million e-mail addresses. When a suspicious e-mail arrives at the server, this feature can be configured to automatically strip off and quarantine the attachment until a virus definition is released, or simply delete the message, said Caccia.

Many vendors are attempting to enable zero- day threat protection by adding multiple virus engines in order to maximize detection, but that doesn’t offer the same level of protection as Symantec’s new offering, said Tom MacArthur, principal of Storbase, a solution provider in Waltham, Mass.

“Although you get some incremental benefit from the [former] approach, it’s always better if you can catch viruses early on,” MacArthur said.

Hopefully there will be a bakeoff between this product and those that use multiple engines. It will be interesting to hear more about this approach. I wonder if it is using technology similar to the Real Time Threat Protection Service they just bought when they purchased IMLogic.

Neither approach is going to get 100% of the viruses. They are each vulnerable to targeted attacks. Message Labs on the otherhand uses a heuristic scanner (Skeptic) in addition to three scan engines. Even targeted attacks will have a difficult time penetrating this defense.

http://www.networkworld.com/news/2006/040306-trend-micro-data-revealed.html

My favorite portion of the article " an employee, who is no longer with Trend Micro,".

A Trend Micro employee, puts company reports on his home computer. He doesn't run antivirus on his home computer. But he does run a P2P program on the computer. Then the employee goes for the idiot trifecta and gets infected with a virus. The virus shares out the entire hard drive, and the Trend Micro reports including company data are shared on Japan's most popular P2P network. Good work.

Do we even need to stop an think about the lessons to be learned here or are they so obvious its hard to miss...