Antivirus: October 2006 Archives
Symantec has had a problem with virus definition corruption in the past few versions. I must say the way it fails in version 10.0.2 is rather annoying. In versions 8 and 9 it would fail by having the service stop and it would no longer contact the parent server. So you would have to audit for missing machines in the SSC or use a product like SMS to look for systems with stopped Symantec Antivirus services. There is also an application log event indicating virus definition corruption.
In 10.0.2, the client still reports into the SSC, but it often does not list a scan engine number. the definition number does not update. This is better because you can look for systems that are online with out of date definitions or a blank scan engine number.
The part I find a problem is that in the application log of the afflicted computer, it says "virus definitions are current." There is no indication to the user that their sav is broken. When you look at c:\program files\common files\Symantec shared\virus defs, I am seeing virus defs from a couple of days ago even though the SSC is reporting one of the older defs being in force.
So how do I fix it when I get into this situation? I've heard of some people at other companies who would replace the contents of c:\program files\common files\symantec shared\virusdefs\ and c:\documents and settings\all users\application data\symantec\... I guess I'm a bit scared to do that. I wonder if I have to match OS version. Do I have to match SAV versions? Writing scripts saves time in the long run, unfortunately you have to make time now to get it right. I just dont have that time. So I do things the manual way.
The Manual Way
In c:\program files\common files\symantec shared\virusdefs:
1. delete the most recent folder containing a virus def. In this case its 20061025.039
2. Edit definfo.dat to match the redaced number of virus defs. In this case CurDefs changes to 20061024.020 and last defs changes to 20060930.002
3. Edit usage.dat. There should be one "date" indication followed by a list of sav components. In my case I see:
[20060930.002]
navcorp_70=1
navcorp_70_2=1
[20061025039]
defwatch_10=1
This is wrong, there should be only one date. remove [20061025.039] and change the "date" at the top to match your most recent virusdefs. In this case its 20061024.020. I suspect my problems are caused by doing upgrades and causing both navcorp_70 and navcorp_70_1 being there. But I'm not sure about that.
4. Symantec says to check the incoming folder, that has rarely had anything in it. It should be empty.
5. If you see any folders ending in .tmp delete them.
Next go to c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\. I remove all the files in this directory (not the folders). I then remove all the folders in the i2_ldvp.vdb folder.
Stop and then start the symantec service. If everything is happy it should create a new folder with todays defs in the virusdefs directory (assuming you are on a corporate network getting updates through vdtm) otherwise run liveupdate.
This rant seems to have turned into a knowledge base article. Keep in mind that symantec.com/techsupp is a much better place to get symantec help. I'm just rattling off some thoughts.
This is rather weird, every system has the 20061024.020 and the 20061025.039 defs in the folder but report in a previous def version. How very odd.
Tonight I'm working on a brief article for our the I.T. Department's newsletter that is distributed to the company.
I'd noticed that some outbound email was being detected as a virus when people copied a webpage into an email and sent it. All that Javascript made the scanner unhappy. I think the rotating banner ad was also a problem because the email was then different each time it was loaded.
So the article was pointing out how to avoid the problem. The Exchange administrator advised the best way is to just send a link rather than the entire article. That reminded me that some infosec people don't believe in sending links. Rather you're supposed to just tell the recipient to go to site X and enter a search term.
I can see this now. "Go to www.fnord.ch and search on Bin Laden. You know this is not a virus because I'm making you type in the link and do a search yourself." Where's the protection there? Of course if its "Go to the BBC site and search on Bin Laden" then its safer. Its safer because people are to lazy to do that much work unless nudity is promised. :)
Security through unusability may be acceptable to some, but its not to me.
Symantec wrote about the threat of EFS being used to hide viruses from administrator accounts and system.
Of course if you don't run as administrator, the virus wouldn't (as easiliy) get the chance to create to create a new administrative user and use that account to encrypt itself. Another suggested best practice when Windows 2000 first came out was if you aren't using EFS, then disable it. If either of these practices were followed, this wouldn't be a problem.
McAfee wrote about this problem 6 weeks ago.
There is a virus family now that uses this technique.
Mondaq.com has an article on the Scansafe v. MessageLabs lawsuit. The website requires free registration.
MessageLabs was under an agreement to rebrand Scansafe's HTTP security as their own. After about a year of that, MessageLabs decided to take it in house, giving two months notice.
I've had great fun in my HTTP Security project as I've dealt with both vendors, and am fully aware of the back story. I would guess that the vast majority of MessageLabs customers have never heard of Scansafe.
Scansafe sued alleging the contract requires longer notice than a two month notice, and also that MessageLabs in creating their in house version is living off the ScanSafe good name.
I agree with the Judge in this case. Its kind of hard to be accused of misappropriating someone else's goodwill when you are licensing their software to use under your own name. You are authorized to appropriate the goodness of their software as your own. The problem comes in when there is an implication that the new in house version called version 2.0. They say that implies its based on the original software.
So now MessageLabs is required to tell prospective customers that the Web Security is not based on Scansafe. Apparently they are free to then tell the users horror stories about Scansafe's product and why MessageLabs had to bring it in house to do it right.
Apple somehow manages to blame Microsoft when Apple ships a virus preloaded on some IPods. Gee, I thought Apple was super secure and didn't need any of that fancy stuff like antivirus. Most companies have learned that scanning for viruses before shipping is part of quality control.
I expect that soon User Friendly will have a comic strip showing how the Microsoft blackops team planted this virus on the iPods.
I've been beating this drum for years.
Joris Evers wrote at news.com yesterday about the problem of targeted virus attacks. The headline calls it the future of malware.
One of the interesting things he notes in the article is that targeted attacks are using exploits in commonly used programs. So if the bad guy has a previously unknown zero day in Microsoft Office, it will get past a virus scanner and it will get past primitive file extension blocks.
The amount of zero day attacks aren't limitless (it only seems that way). So the attacks would tend to be used against the high value target.
There was another article this week, that suggested its hard to get the antivirus vendors to even write a signature when one company suffers a targeted attack.
As I see it, the solution is the same as before, limit administrator rights, use HIPS, and used heuristics/sandboxing where possible.
John McDonald writes in the Symantec Security Response Weblog regarding the importance of updating virus definitions.
Yes, updating virus definitions frequently is important. Why then does Symantec only supply a liveupdate once per week to people still running version 8 and 9? Why does Symantec only update the Intelligent Update once per day? Why do I have to use XDBDown to be able to check hourly for the latest updates? Why does Symantec discourage the use of the Rapid Release definitions? Why does Symantec often rate poorly when comparing vendors update speed when new viruses come out?
The author reports that, "Among the home users surveyed, just 46.3 percent said their antivirus software is up to date." Is this an indictment of the usability and effectiveness of their antivirus software? Shouldn't the vendor work to make the software stay up to date on its own, not break, self-heal where possible, and lastly inform the user if they need to take action to make it work again.
His defense of virus definitions is kind of weak in my opinion. The author states that with the exception of SQL Slammer, most viruses start out slow, and you are protected if you download the virus definitions before it reaches you. This reminds me of the fire department. They aren't there to prevent you from ever having a fire, they are there to prevent it from destroying your whole neighborhood. Frankly, I 'd rather not have the fire in the first place. In this age of targeted attacks, motivated by money and backed by criminal concerns, I am not willing for my company to be the victim that allows everyone else to stay safe.
I'm rather disappointed with his stance against heuristics. I think it is working rather well for McAfee thus far. In this age of zero day attacks, we aren't going to turn to third party patches, and antivirus can not always protect us. We need to consider adding HIPS to the corporate desktop protection suite.
I'm seeing some viruses detected this evening with generic names.
Subject: hello
Subject: Mail Delivery System
File:document.msg.exe
SubJect: Fwd: ls878grz.dallas.net mail server report.
Subject: mail server report
File: Update=2DKB3500=2Dx86.exe
body.elm.scr
Virus: New Malware.n
Subject: Error
File: body.msg.pif
Virus: New Malware.j
