Antivirus: September 2007 Archives
ADP posted the following on Friday.
Beginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not.If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data.
WHAT YOU NEED TO KNOW:
Here is what you should be on the lookout for:
The "from:" address in these e-mails may have been spoofed to look like it is coming from ADP such as "emplservices292823@adp.com " or "adpcomplaintcenter@adp.com".
The subject line may read: "Agreement Update for [Your Company Name (Case id: ______)]" or "Complaint Update for [Company Name (Case id. #)]".
The e-mail may have an attachment named either Agreement.rtf or Agree.rtf or may instruct you to "download a copy of your complaint."
These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.
ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.WHAT YOU NEED TO DO:
If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.
WHAT IS ADP DOING ABOUT THIS:
ADP's security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.
We appreciate your understanding as we work with law enforcement and you to resolve this matter.
We've decided that McAfee Portalshield for Sharepoint isn't cutting the mustard so its time to look for other products. The Sharepoint guys are working on upgrading to Sharepoint 2007. From what I've heard McAfee doesn't support Sharepoint 2007 yet. McAfee Portalshield has had a couple annoying habits anyway. Once we installed it, we had to restart IIS on a scheduled basis, otherwise the sites would become unavailable. We also had one compressed file that would constantly get detected, and we could never figure out where the file was located.
One of the sysadmins installed Forefront for Sharepoint and asked me to check it out. I really don't remember why we didn't go with this a year ago. I like Sybari products and this should be pretty much the same thing as the newer Microsoft Forefront branded products.
As I began to eval, I attempted to upload an eicar file. Forefront successfully detect this, but I also received a detection from Symantec Antivirus Corporate Edition (the file system antivirus) for Eicar in C:\Program Files\Microsoft Forefront Security\SharePoint\Data\ADF\VxData\eicar.00.ext. I figure that I need to exclude the data directory in SAV. It would be nice to find a KB indicating that, but no joy thus far.
Next, I uploaded cain.exe into my Sharepoint My Site. Actually, it rejected cain.exe because it is an executable so I renamed the file to cain.ex_. Sybari had a incredibly stupid configuration where they only scanned file types known to be potentially malicious (this setting isn't visible to the admin and is on by default). It seems that this behavior has held over to Microsoft Forefront, because cain.ex_ is not detected on upload. I initiated a quickscan of My Site in Sharepoint. Forefront still detects nothing, but I received a detection
File: C:\WINDOWS\Temp\3e540056.$$$
Virus: CainAbel
It appears that Forefront is unpacking its scanned files in Windows\Temp. This seems incredibly foolish. I'm wondering if this has something to do with using the Clean setting rather than the delete setting. Either way, this shouldn't happen.
