Archive for the ‘Antivirus’ Category.
August 31, 2010, 11:26 am
Walking into work through the South Lobby this morning I passed three monitors that normally have traffic, weather and footage from a traffic camera. The traffic monitor displays traffic information from WTOP normally, but today it showed cgidoctor.com. This page advised the user on how to remove fake antivirus infections. Links to remove fake antivirus went to a second site containing malicious code.
The monitor is a touchscreen so I checked the history to see if anyone had been accessing something other than WTOP.com. While that wasn’t a in-depth check I think its safe to say that yet again WTOP served up a banner advertisement that contained Fake AV social engineering.
That normal sites will could attempt to send you malware via banner ads is not surprising to most people reading this site. Using URL filters and antivirus is necessary. A dose of common sense when the attack is trying to trick you into installing the virus rather than performing an exploit.
August 30, 2010, 8:03 pm
Authentium Command Antivirus on Friday detected a handful of Office documents as MSWord/Dropper.B!camelot. I ran a couple of the files through VirusTotal and found Authentium was the only company detecting the file as a virus. In some cases that would be a sign of being on the cutting edge of detection, but in this case its a sign of a false positive.
Friday, I tried to submit the false positives to Authentium using the instruction on their site but received to reply. Today I followed up and was told since I wasn’t a customer, they had no interest in fixing their false positive. I could however report the false positive to Microsoft who would then report it to them. Going to argue with Authentium support a bit more.
[update:]
This will be fixed in an update later today. Frustration relieved. Probably partially self-inflicted.
July 16, 2010, 4:53 pm
A lot of copiers now have the ability to scan documents and email the result as a PDF. I’ve never quite understood why people don’t take the time to change the default subject line. On a Xerox it is something like “Scan from a Xerox WorkCentre” to something a bit more descriptive. Worse yet, I’ve seen people here send directly from the copier to their external person instead of sending the PDF to themselves, formating the email a bit more and then forwarding it on.
We must not be the only one in this habit. The bad guys are using it too. I just saw some virus alerts on our inbound email.
Subject: Scan from a Xerox WorkCentre Pro $3609550
Virus: Packed.Generic.306
From the Symantec website: “Packed.Generic.306 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from anti-virus software.”
No file name was listed in the virus alert, so I thought this might be a false positive. Since I don’t have access to release quarantined messages to myself, I checked the source IP. The IPs I checked were from Guatemala. Between that and the fake looking source email address, I’d say this is definitely malicious.
Update: Here’s a link to a Barracuda blog post on the subject.
May 6, 2010, 10:35 am
I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.
| File inst.exe received on 2010.05.06 14:31:04 (UTC) |
| Antivirus |
Version |
Last Update |
Result |
| a-squared |
4.5.0.50 |
2010.05.06 |
- |
| AhnLab-V3 |
2010.05.05.00 |
2010.05.05 |
- |
| AntiVir |
8.2.1.236 |
2010.05.06 |
TR/Fakealert.mnd |
| Antiy-AVL |
2.0.3.7 |
2010.05.06 |
- |
| Authentium |
5.2.0.5 |
2010.05.06 |
- |
| Avast |
4.8.1351.0 |
2010.05.06 |
- |
| Avast5 |
5.0.332.0 |
2010.05.06 |
- |
| AVG |
9.0.0.787 |
2010.05.06 |
- |
| BitDefender |
7.2 |
2010.05.06 |
Trojan.FakeAlert.CCA |
| CAT-QuickHeal |
10.00 |
2010.05.04 |
- |
| ClamAV |
0.96.0.3-git |
2010.05.06 |
- |
| Comodo |
4779 |
2010.05.06 |
- |
| DrWeb |
5.0.2.03300 |
2010.05.06 |
Trojan.Fakealert.15369 |
| eSafe |
7.0.17.0 |
2010.05.05 |
- |
| eTrust-Vet |
35.2.7471 |
2010.05.06 |
Win32/FakeAlert.E!generic |
| F-Prot |
4.5.1.85 |
2010.05.06 |
- |
| F-Secure |
9.0.15370.0 |
2010.05.06 |
Trojan.FakeAlert.CCA |
| Fortinet |
4.0.14.0 |
2010.05.05 |
- |
| GData |
21 |
2010.05.06 |
Trojan.FakeAlert.CCA |
| Ikarus |
T3.1.1.84.0 |
2010.05.06 |
- |
| Jiangmin |
13.0.900 |
2010.05.06 |
- |
| Kaspersky |
7.0.0.125 |
2010.05.06 |
Packed.Win32.Krap.ai |
| McAfee |
5.400.0.1158 |
2010.05.06 |
- |
| McAfee-GW-Edition |
2010.1 |
2010.05.06 |
- |
| Microsoft |
1.5703 |
2010.05.05 |
- |
| NOD32 |
5091 |
2010.05.06 |
a variant of Win32/Kryptik.ECX |
| Norman |
6.04.12 |
2010.05.06 |
- |
| nProtect |
2010-05-06.02 |
2010.05.06 |
Trojan.FakeAlert.CCA |
| Panda |
10.0.2.7 |
2010.05.05 |
Suspicious file |
| PCTools |
7.0.3.5 |
2010.05.06 |
- |
| Prevx |
3.0 |
2010.05.06 |
High Risk Cloaked Malware |
| Rising |
22.46.03.04 |
2010.05.06 |
- |
| Sophos |
4.53.0 |
2010.05.06 |
Mal/FakeAV-CZ |
| Sunbelt |
6267 |
2010.05.06 |
FraudTool.Win32.SecurityTool (v) |
| Symantec |
20091.2.0.41 |
2010.05.06 |
- |
| TheHacker |
6.5.2.0.277 |
2010.05.06 |
- |
| TrendMicro |
9.120.0.1004 |
2010.05.06 |
- |
| TrendMicro-HouseCall |
9.120.0.1004 |
2010.05.06 |
- |
| VBA32 |
3.12.12.4 |
2010.05.06 |
- |
| ViRobot |
2010.5.6.2304 |
2010.05.06 |
- |
| VirusBuster |
5.0.27.0 |
2010.05.06 |
- |
| |
| Additional information |
| File size: 887824 bytes |
| MD5…: 2e797ae47b533739a234ffd66d736a55 |
| SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34 |
| SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202 |
| ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU |
| PEiD..: - |
| PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×1000
timedatestamp…..: 0x42f2757e (Thu Aug 04 20:07:26 2005)
machinetype…….: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×58000 0×57400 7.79 c8a376ad4f177f3ae434902b7b8f4a8f
.rdata 0×59000 0×1000 0×200 3.79 6d3e2283fc369479980764aca0706a36
.trash 0x5a000 0×80000 0x7f200 7.79 4579192af1340dc0f8377086beb4767c
.rsrc 0xda000 0xa3000 0×2000 5.14 00d9d5b447b6a0236d734be8ae5af459
.reloc 0x17d000 0×4 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
( 2 imports )
> ntdll.dll: DbgPrint, DbgPrompt, NtPulseEvent, RtlUlongByteSwap, atan
> KERNEL32.dll: GetModuleHandleA, CreateFileA, GetLastError, WriteFile, ReadFile, GetVersionExA, ExitProcess, CloseHandle, GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId
( 0 exports ) |
RDS…: NSRL Reference Data Set
- |
| pdfid.: - |
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
| Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99 |
sigcheck:
publisher….: n/a
copyright….: n/a
product……: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…..: n/a
signers……: -
signing date.: -
verified…..: Unsigned |
| <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a> |
In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.
April 27, 2010, 7:16 pm
In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.
January 28, 2010, 11:07 am
I noticed a bunch of computers reporting install_flash_player.exe as a Trojan Horse this morning. My first stop was the Symantec Forum where a bunch of users were already discussing this.
Since it appeared to be a false positive in an older install file for Adobe Flash, I set out to see which version of Flash was getting hit. Adobe has a archive of Flash players. I downloaded a zip with every version of Flash 10 and unzipped it to my hard drive. I got a detection on flashplayer10r22_87_win.exe. Once that was quarantined the easiest thing to do was go into my local quarantine, right-click and submit to Symantec.
A Symantec support employee points out the KB for false positives and the virus submission website https://submit.symantec.com/websubmit/gold.cgi. To use that I would have had to disable real-time protection, and unquarantine the file. So it was easier to submit from within Symantec. I’m running 1/27 r49 definitions.
January 12, 2010, 8:34 pm
As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.
If you aren’t on top of this, you should be subscribed to Symantec emails here. I’d also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.
Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.
So far this has caused three problems that I care about.
1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the “old definition” group. The defined action was run live update once. That wasn’t too big a problem.
2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec’s liveupdate servers when on the Internet. It’s important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You’ll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem
3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we’re coming up fast on January 14th, I’ve disabled the notification. Of course any computer that isn’t on our network in the next couple of days wont get the new configuration.
Hopefully Symantec will get this issue resolved soon. Not sure why they couldn’t be ready to patch all SEPM builds at once. Why is MR3 so favored?
December 27, 2009, 1:37 am
For many years Microsoft has had an exclusion list of files and folder that antivirus should not scan. I’ve seen similar knowledgebase articles from antivirus venders. For some reason this became blogworthy over at TrendMicro. That has set off the usual echo chamber of anti-Microsoft handwringing. (wait a second an echo chamber of handwringing? exactly how loud is that? Stop mixing metaphors).
A lot of people have the knee-jerk reaction “oh no the virus writers will start putting their viruses there.” The TrendMicro blog entry isn’t as worried about the exclusions as he is about the public knowledge of the exclusions. “Now, although it actually makes sense to stop checking …we are concerned by the fact that this was released publicly.” I laughed out loud when I read that. Security through obscurity is no security at all. If you don’t tell antivirus administrators what to exclude from scanning just who are you going to be sharing this mystic secret with?
All the articles I’ve read imply that the only reason to make antivirus exclusions is performance. Exclusions can also be necessary to allow a product to work correctly. Data integrity is a valid reason for antivirus exclusion, I think.
Unlike what some people think, exclusions aren’t just for the performance of scheduled scans. On the contrary they more needed for real-time scan exclusion. Lots of files created in a folder and deleted, etc. That is a real time scan situation.
Microsoft’s KB is clearly aimed at system administrators not home users, in this writers opinion. Excluding a file from scanning is not a white flag of surrender. Endpoint security suites may still have IDS, proactive and firewall components. The malware will need to beat the antivirus to get on the system in the first place.
I guess I got my hand wringing out of the way on this one five years ago. Strangely TrendMicro did too. Their own knowledgebase has instructions with some recommended exclusions to solve problems with shaddowcopy and sql
November 2, 2009, 3:03 pm
Kaspersky is detecting gosearch.gif as Trojan.JS.ramif.a.
gosearch.gif is a standard magnifying glass icon used in Sharepoint as a search button.
I submitted this to Kaspersky and they concur its a false positive, so hopefully updated defs will be out shortly.
October 3, 2009, 3:12 pm
Last night I started upgrading Symantec Endpoint Protection 11.0.4 to 11.0.5. I’ve been doing these upgrades since 7.0.1 and they rarely go smoothly this one did not disappoint. As with most of these debacles, the development server upgraded without an issue.
The production server looked like it installed cleanly until I went to start the SEPM service after the install. The service exited immediately after installing. I searched symantec.com/connect and symantec.com/techsupp (support forums and knowledgebase). I got some logs to check and things to verify, I did a repair install multiple times. Ultimately I didn’t see a solution.
Initiated the disaster recovery procedures documented in the knowledgebase (and in a corporate document I wrote). First I made sure that my backed up keys and passwords were still good. Then I uninstalled SEPM, and reinstalled it. As it was approaching 3:30 AM I decided to let the database restore run while I slept.
The next day I continued the DR procedures and found the GUI wouldn’t allow me to use what I thought the database password was. I unnecessarily went down the road to change the password through ODBC. It turned out I was using the wrong password. (which happened to use characters the GUI would not allow)
Once the database password was found, I had a new problem. I was restoring from a backup of the database. Of course the database has an old schema. I tried a couple things to get it to upgarde. I believe it was a upgrade.cmd file that did the trick.
At that point I was able to log into SEPM, I verified that my configuration was still there and my clients were able to report in.
The (hopefully) last little piece of this stuggle was finding 11.0.5 missing under client install packages. I believe the database restore was what caused that to go missing. I found instructions to manually import.
