Antivirus: June 2007 Archives

Symantec Endpoint Security 11

Yesterday, I attended a webinar on Symantec Endpoint Security 11. It should be available for ondemand replay at some point on at symantec.com.

A lot of people including myself have been very negative about the Symantec product, virus detection rates, and product support. I'm actually starting to believe that Symantec is turning things around. Yes, I know this brief ray of hope will soon be crushed by more Symantec nonsense. But for now, for this blog entry, I'll focus on the positive.

Symantec Endpoint Security, formerly code named Hamlet, is a single agent, single console solution. In the past people have implemented piecemeal solutions. So the clients have anti-virus products, antispyware products, and a personal firewall. Each of these products require a separate management point. They each require upgrades and management. There is a incredible cost to the old "best-of-breed" approach. Back then "kitchen-sink" solutions like Symantec Client Security were bloated beasts that weren't the best at anything. McAfee Total Protection was the first vendor to grab my attention with a consolidated approach. Lets see what Symantec brings to the table.

  • Antivirus - as I've blogged about before, Symantec is doing much better on the AV tests.
  • Antispyware - Includes Veritas technology VxMS to detect rootkits. They feel this is superior to rootkit detection in other products. I'm not convinced though that the product is overall better in spyware detection than Webroot or Sunbelt. But it may be worth it to preserve resources.
  • Intrusion Prevention (Network and Host) Generic exploit blocking (currently in SCS) Proactive Threat Scan (from Whole Security) Deep Packet Inspection
  • Device Control - restrict data leakage (not a lot of info on this that I noted)
  • Symantec NAC

This is all with a single agent. According to the presenter McAfee is using multiple agents in its product.

They had some interesting memory baseline numbers:
Symantec Antivirus Corporate Edition - 62 MB
Symantec Client Security - 129 MB
McAfee Total Protection - 71 MB
Symantec Endpoint Protection 21 MB
That is a very significant number. We have been very concerned about each security solution adding a burden to the computer.

There is a public beta. To sign up for that, or for additional information, check out www.symantec.com/endpointsecurity.

This sounds interesting. Of course I would never install a dotZero release from Symantec. But about 6 months after release this could be of interest.

By Roger on June 28, 2007 9:00 AM | | Comments (2) | TrackBacks (0)

A friend at kissesonapostcard

On Friday, I received an email from postcards@kissesonapostcard.com with the subject: "Hi there, an old friend has just sent you a greeting card and a kiss!" It was sent to the infosec board's mailing list so there is no chance this is legit.

The message contained a link, "Get your greeting card here" hxxp://send.kissesonapostcard.com/a_friend.exe (hxxp munged by me to avoid people accidentally clicking on a link).

Kaspersky detected this file as IRC.Zapchast so I submitted the message to my email hygiene provider.

Now most people wouldn't have done that because their email antivirus product has no hope of detecting links to malicious code in emails. Since mine purports to do this, I submitted the email. Surprisingly, two days later, I got a email back with a case number. Another two days later, I was asked by support to save the offending message as a .msg file and then zip it and send it to them. That kind of annoyed me because I included full headers and the html of the message.

As long as I was thinking about it this file, I ran it through virustotal again. This time most of the vendors are catching it.

By Roger on June 27, 2007 5:21 PM | | Comments (0) | TrackBacks (0)

SAV False Positive in Resource Kit Utility

This evening after the latest SAV update, I'm seeing detections on all of my systems with the Windows Resource Kit installed. The files instsrv.exe and srvany.exe are detected as Hacktool.

Both files are used when creating a service.

We'll see if they back off this detection, or if it will be yet another thing we have to whitelist (and whitelisting doesn't work so well in the version of SAV I am running. Vendors need to do a better job being flexible about potentially unwanted programs.

update - received an email from symantec
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Friday, June 22, 2007 10:07 PM
Subject: Symantec Security Response will post LiveUpdate virus definitions today, June 22, 2007 PDT

This posting is in response to a false positive detection on the file srvany.exe from Microsoft's Resource Kit. This FP was first released in Rapid Release definitions 70045 and later in the 6/22/2007 rev.33 Intelligent Updater and LiveUpdate definitions. The false positive has been corrected from Rapid Release definitions #70065. Anadditional message will be sent approximately 30 minutes before the LiveUpdate virus definitions are available for download.

By Roger on June 22, 2007 7:29 PM | | Comments (1) | TrackBacks (0)
« Antivirus: May 2007 | Main Index | Archives | Antivirus: July 2007 »

Search