Antivirus: July 2006 Archives

Scan Safe suing Message Labs

Looks like Message Labs has gotten themselves into a legal entanglement with web scanning provider ScanSafe.

As I've posted earlier, Message Labs was reselling Scan Safe's web security product. This spring I received a notice that Message Lab's web security version 2.0 was available and it was now integrating Message Labs proprietary Skeptic antivirus software. In my opinion Skeptic is the most successfull antivirus heuristic available and I wanted to see how that did with web scanning. Scansafe has their own unnamed zero-day antivirus protection (I always kind of thought they had licensed skeptic but who knows).

A Judge has ruled that Message Labs calling their service "2.0" would cause customers to think they were still reselling Scansafe. ML will be required to disclose this change to all current and future web protection customers.

I had suspected Message Labs may have dropped Scan Safe and brought everything in house, but I wasn't sure. In the defense of Message Labs only people like myself who read press releases ever knew about the name Scan Safe. No one at Message Labs used that company name with me until I brought it up.

By Roger on July 31, 2006 5:43 PM | | Comments (0) | TrackBacks (0)

SAV Scanning and SMTP over SSL

I was having problems sending email through my ISP earlier this week. The error message I was receiving from Outlook Express was

Your server has unexpectedly terminated the connection. Possible causes for
> this include server problems, network problems, or a long period of
> inactivity. Account: mail.example.com, Server:
> 'smtp.example.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes,
> Error Number: 0x800CCC0F

This mail account requires username and password in order to send mail. To protect against sniffing, I prefer to encrypt my authentication traffic in IMAP and SMTP. To narrow down the issue, I disabled SSL and found that I was able to send email successfully. Next I attempted to send a message with SSL while connected to a different network. This time I got a different error with a link to a Symantec Knowledgebase article.
"An encrypted email connection has been detected. Please see help for more information on how to transmit encrypted email."

It turns out, that Symantec says:

If your Internet service provider uses the SSL in email protocol, you might have problems sending email messages. In this case, you might need to disable Symantec AntiVirus email scanning.

In order to be able to send email and use SMTP over SSL, I had to disable the Internet Email scanning within Symantec Antivirus. This is still secure because the file system real-time protection will still scan any file attachment. Message bodies will no longer be scanned, and the message will be scanned at attachment open/save rather than when the email message is open. For years Symantec didn't even have a Internet Email scanner in their corporate product, so I don't think disabling it is a huge risk.

By Roger on July 30, 2006 6:27 PM | | Comments (0) | TrackBacks (0)

The Case of Port 110 and 25

About a month ago, my manager asked me for some help in interpreting the results from a scan she had run using Foundstone Superscan. She is in a security course as part of her Master's degree at GW. The scan results strangely showed port 110 and 25 open. This didn't make any sense to me. These ports shouldn't be open on a end user's desktop or laptop. I used SuperScan on my own desktop and laptop and obtained the same result. I tried to verify the results with Nmap but it kind of bombed out on me. Next,I looked at the most recent STAT results and saw that it too was seeing those ports opened. Multiple scanners agreed the ports were opened, but I couldn't determine why.

I tried to connect to the ports manually using telnet and netcat but no banner was displayed. It looked to me like I was not able to connect to the port. This remained a mystery unsolved until this week. I was at a HIPS seminar put on by Third Brigade and I read the readme for their product. It reported that Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email. I cant find confirmation in the Symantec Knowledge Base, but I have found confirmation through a writeup from GFI.

Shouldn't Symantec only be proxying outbound requests? This internet mail scanner plugin is intended to be only on end user computers. By answering requests from external scanners, they are opening the computer to any vulnerability in their SMTP and POP scanning service. Defense in depth would use a personal firewall to block such access.

This SMTP scanner seems to be more trouble than its worth. We've had issues sending email to some mail servers with it enabled. I'm going to post later about my experience with SMTP over SSL and this scanner. The computer will be protected by the File System Real Time Protection. This Internet Mail protection does little but preserve a clean inbox.

By Roger on July 29, 2006 8:01 PM | | Comments (0) | TrackBacks (0)

Upgrading Symantec IM Manager

I spent most of my Saturday upgrading Symantec (IMLogic) IMManager. We have two servers running that, one acts as a proxy for public IM traffic and the other looks at LCS traffic. Prior to implementing IMManager we had a track record that once a month a user would get their computer infected through IM and then spread it to their contacts inside and outside the company.

The upgrade process wasn't the smoothest thing I've experienced. I didn't follow their advice to try it in a lab environment first. I felt like it would take me more time to set up the lab environment and even then it wouldn't prove that I could upgrade production successfully, only that I I could upgrade the lab successfully. I decided it would take about the same amount of time to fix whatever problem occurred on the production machine

I backed up the database to allow for a fall back position, I reviewed the release notes and all available documentation and jumped in. Symantec provides a lot of information in the documentation, the release notes, and in knowledge base articles, so I was able to create a decent upgrade plan.

I received an error on my update indicating "an error has occurred in the installation of the IM Manager. Description: Failed to install the IM protocols engine. Would you like IM Manager setup to continue." There was a support article with a few things to try. (missing dll, Windows Installer not started, and you're just screwed). None of those suggestions were relevent. I'm wondering now if I the problem was a failure to stop the upgrade service as they recommended.

To resolve the problem, I had to uninstall by hand. There is a knowledge base article for this, but its pretty obvious what to do. Delete the install directory. In the registry, remove the uninstall key and the service keys. I then installed 9 from scratch. Since I had a SQL database on another server, the configuration was preserved.

I am still missing support for Yahoo Messenger 8 (they are working on that for a future release), and I had had a weird problem where I had to reboot to get the server to listen for AIM traffic, but other than that I'm pretty happy. Hopefully it will continue to work on Monday when the users come back.

IMManager is integrated with Microsoft (Sybari) Antigen for IM to provide antivirus scanning. I upgraded that a minor build number as well. The only new development there is to allow encrypted LCS traffic and also support LCS 2005 sp1.

By Roger on July 29, 2006 7:36 PM | | Comments (0) | TrackBacks (0)

CA accuses F-Secure of Mobile Malware FUD

http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm

"A spat has erupted between the two security services companies
folllowing CA's accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware."

Amazing, I actually agree with CA about something.

By Roger on July 25, 2006 11:37 PM | | Comments (0) | TrackBacks (0)

AusCERT: Eighty percent of new malware defeats antivirus

ZDNet reports on a security breakfast hosted by email hygiene firm Message Labs. Graham Ingram, General Manager of the Australian CERT, said that the most popular brands of antivirus have an 80% miss rate in cases of new malware.

Its the same thing I've been stating for years. Signature based antivirus will let you down. They are very good at dealing with old viruses, but not so good with the new viruses.

By Roger on July 20, 2006 6:43 PM | | Comments (0) | TrackBacks (0)

ePO Client Remote Code Execution Vulnerability

eEye has reported a remote code execution vulnerability in McAfee ePolicy Orchestrator versions prior to 3.5.5.438. This version became available January 2006 but was not marked as a security update.

By Roger on July 15, 2006 1:26 PM | | Comments (0) | TrackBacks (0)

An eval of McAfee for Sharepoint

I tried to download an evaluation copy of McAfee Portalshield for Sharepoint today. After filling out the required contact information and accepting a license agreement, I'm taken to a screen that says

McAfee PortalShield 1.0.1 - 81.47 Mb -
www.mcafee.com1-800-338-8754.

There is no download link on the screen! I called the phone number listed, and they suggest that I check the support knowledgebase on the website, and that there is probably something wrong with my browser.

I've got plenty of choices for a Sharepoint Antivirus vendor. So I'm thinking of just moving on to the next vendor on the list.

By Roger on July 13, 2006 12:02 PM | | Comments (0) | TrackBacks (0)

DoS Buffer Overflow in McAfee?

A post to the Full Disclosure list reports a local denial of service in McAfee Antivirus Enterprise 8.

http://seclists.org/lists/fulldisclosure/2006/Jul/0157.html From: John Doe Date: Sun, 9 Jul 2006 10:53:21 -0700 (PDT)

A local Buffer Overflow was discovered in McAfee VirusScan Enterprise 8.0.0.

The overflow can be triggered within the "Buffer OverFlow Protection Properties" by creating a buffer overflow exclusion. Then fill each field with data, and click ok, and apply

Process name: AAAAAAAAAAAAAAAAA......etc
Module name: AAAAAAAAAAAAAAAAAA......etc
API name: AAAAAAAAAAAAAAAAAAAAA......etc

This will trigger various exceptions based on amount of data added to each field.

This will DoS the AV . McAfee AV will not run correctly again until Buffer Overflow Protection is disabled or the Buffer Overflow Exclusion is removed.

By Roger on July 9, 2006 9:23 PM | | Comments (0) | TrackBacks (0)

Oleg Gudilin: Proactive Protection: a Panacea for Viruses?

Its become obvious to most that reactive signature based antivirus products are not sufficient to protect computer systems. In Kaspersky's viruslist.com Oleg Gudilin looks at whether proactive protections will be a cureall for viruses.

The article has a lot of interesting graphs from AV-comparatives.org and av-test.org.

I agree with him that vendors are using terms like proactive and zero day incorrectly. Some vendors have implied to me that no update is necessary, but when pressed on how they provided protection against a specific new threat, the first thing they said was an update was deployed.

Where the article falls short for me is that it only includes proactive measures that have been added into antivirus products in recent years. It would be interesting to see how full blown HIPS products shape up.

On the whole, I agree with the author that proactive measures are necessary but that these will not replace signature based detections.

By Roger on July 4, 2006 8:24 PM | | Comments (0) | TrackBacks (0)

w97m/kukudro.a

Catching up on some things from while I was out this week. We got a spike in detections of a new virus w97m/kukudro.a. F-Secure reports that the file is sent in a zipped archive. When opened, it uses an ancient exploit to run automatically. This occurs in Office XP and 2000 even if macros are disabled. In Office 2003 the vulnerability does not exist so the exploit will obey the macro setting. In many environments, the default macro security setting is to ask the user what to do.

By Roger on July 2, 2006 1:44 AM | | Comments (0) | TrackBacks (0)
« Antivirus: June 2006 | Main Index | Archives | Antivirus: August 2006 »

Search