Antivirus: November 2006 Archives

ISC Reports Exploit of SAV/SCS vulnerability

The SANS Internet Storm Center is reporting exploitation attempts against unpatched versions of Symantec Antivirus 10 and Symantec Client Security 3.

The vulnerability first announced in May (with patches trickling out over the next month) allows remote code execution on a computer via Symantec's remote management port. To reiterate, this vulnerability is exposed remotely only in managed versions of these products.

DShield is showing a remarkable uptick in scans against this service port currently.

To mitigate against this attack, personal firewalls should be blocking access to this port when the computer is on the Internet. When on the corporate network, the Symantec Antivirus management ports should only be accessible by the Symantec parent server.

Of course the best bet is to be patched. The list of vulnerable and patched versions is available in the Symantec writeup.

By Roger on November 27, 2006 7:41 PM | | Comments (0) | TrackBacks (0)

Waiting on hold for symantec

The post is mainly an as it happens record of a call to try to get a license file for one of my Symantec products. Its not necessarily going to be funny, interesting or informative. Sort of like the rest of my posts.

Right now I'm waiting on hold for Symantec. It took 20 minutes to get through to someone in customer support. I can't get a license out of their darn licensing website. The customer support guy couldn't do anything but read irrelevent knowledge base articles to me. ("How to download from fileconnect", "How to register at the licensing site"). Hello are you listening to me?

So this guy decided pulling it would be too much work to actually solve my problem so he is transfering me to the "licensing specialist." Any bets on whether this will actually be a licensing specialist or if has he merely dumped me back into the 20 minute customer support queue in hopes that he wont get my call the second time around.

- 30 minutes in - I'm reminded of the advice in "Internet Help Desk" by Three Dead Trolls in a Baggy, "always put them on hold, it takes the fight out of them".

- 33 minutes in- I'm installing JAVA Runtime Environment 1.4.2-12 so maybe my McAfee for Sharepoint will work.

- 43 minutes in - wow, this is the most ecclectic mix of music.

- 53 minutes in - shouldn't have drunk so much Pepsi

- around 65 minutes in - lost the connection.

- Tried to call the number I was given for customer service and it is not valid .

New call to support since its the only number I have. Vent a bit about my Symantec experience so far today. Guy goes to check on something

-10 minutes in on second call -
guy says I dont need to talk to licensing and the hold time there is one hour right now (would have been nice if they guy on the first call had set that expectation).

I'm being transfered to customer service again. Oh and apparently the number I have for that is correct, not sure why I got a busy signal then.

- 34 minutes into the second call - the customer service drone could not help me and is transfering me back to licensing. His oh so helpful suggestion is that I call back in the morning when the hold times are less. Quote of the call: "You're from Virginia, where is that?"

- around 90 minutes into the second call, I got licensing, and we stepped through the website. We found that it had actually imported the newer certficate even though it didn't display on the website. There was an advanced search that I hadn't tried that turned it up. Once I did that there was an option to register the serial number. that's kind of odd because that is what I thought I was doing when I imported the serial number into the website.

They've made a complicated mess of licensing that is causing a lot of problems. I'd say of the people I talked to today, two cared about solving the problem and reducing frustration. The rest of them couldn't be bothered.

By Roger on November 27, 2006 1:56 PM | | Comments (0) | TrackBacks (0)

Form Spy Spam Run

This evening at work someone is attempting to spam us with email containing a emule.exe attachment. Its getting detected as FormSpy by Message Labs.

According to the McAfee blog, previous versions of FormSpy have "hooked mouse and keyboard events in the Mozilla Firefox web browser. It can then forward information such as credit card numbers, passwords and URLs typed in the browser to a malicious website."

By Roger on November 16, 2006 11:35 PM | | Comments (0) | TrackBacks (0)

IM Manager Day

Today Symantec I'M Manager (formerly IMLogic IMManager) took far more of my time than I really planned. Last night I got approval to block AIM 6 users until I'M Manager supports that version. The method provided by support was to redirect or block a specific host name. The problem, which I discovered later is that host name is also used for AIM Triton. So redirecting that host name broke AIM Triton which had been working for months. I really don't see a way to block AIM 6 without taking out Triton as well. It would be easier to deal with this if I was sure Triton 1.3 and 1.5 were successfully being filtered by I'M Manager before. If they were bypassing the I'M Manager protection for the past few months, I dint feel back about blocking them now.

So that was my morning. After a series of afternoon meetings, I found that I'd received the I'M Manager renewal license certificate in the mail. Unfortunately, Symantec has changed how you download license files and I haven't figured out how to do that yet. I also notice that I the Serial Number gives me access to the 8.0.x version of the product rather than the newer 8.1. What's the deal with that?

fixing title, doh!

By Roger on November 16, 2006 4:33 PM | | Comments (0) | TrackBacks (0)
« Antivirus: October 2006 | Main Index | Archives | Antivirus: December 2006 »

Search