Archive for the ‘Antivirus’ Category.

« Previous Entries

Symantec Source Code Stolen

January 9, 2012, 12:25 am

Source code for Symantec Endpoint Protection 11 and Symantec Antivirus 10 has been stolen. According to speculation in news reports, the source code had been provided to the Indian government and was compromised from their servers. Security companies often provide source code to be able to sell software in a country. I suppose they are worried about NSA backdoors.  This hack highlights the problems with loaning out your source code.

Symantec downplayed the severity of the report saying SAV 10 is no longer sold (end of support in July 2012) and SEP11 is 4-5 years old.

Even if the source code was a from a earlier version, I am confident the source code doesn’t change that much in a major build.    Symantec Endpoint Protection 11 may have initially been released 4 or 5 years ago (can that be right?) but it is still the main version in use today.   Its successor SEP 12.1 was only released in July and most people would wait before deployment.

I was a bit surprised by some of the reactions in to this disclosure.   Rob Rachweld of Imperva says there is “not much hackers could learn from it” because they already analyze antimalware products.   The Atlantic Wire quotes Bruce Schneier as saying it isn’t a big deal.

I think it is a big deal.   Antivirus products do have vulnerabilities.   Antivirus products are widely deployed and often it is possible to find out what a particular company is using.   Isn’t code analysis easier than trying to blackbox test or trying to reverse engineer the code?  Depending on how diligent Symantec has been, I think this could lead to more security updates for Endpoint Protection.

Chris Parden, Symantec spokesmen says the are developing a remediation process for enterprise customers still using affected products.

Tags: ,
Category: Antivirus  |  Comment

Scanning External Drives on Connection

January 7, 2012, 11:53 pm

Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system.   They also submit it as an “idea”.   The Idea section is where you can make product suggestions that users can discuss and vote up or down.

I often wonder where this idea comes from because it seems like a particularly bad idea.   It seems like someone decided that was the only way to solve the problem of USB based malware like conficker.   That isn’t the case and it can be very inconvenient.

If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive?   I dont think so.   Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.

Like most bad ideas this requirement comes from hardening guides and auditors.  I was reading the Critical Security Controls and found the following:

Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

As I said, I think a full drive scan is completely unwarranted.   Do any other antimalware products have this capability?

Tags: , ,
Category: Antivirus  |  Comment

Android Malware

November 23, 2011, 12:53 pm

Android malware has certainly been in the news a lot this week.

First, I read a AV-Test report that found the free antivirus for Android is garbage.   In a on-demand scan  ”the best free app was Zoner AntiVirus Free with 32% detected malicious apps. All other scanners detected at best 10% of the apps, some didn’t detect anything at all.”   Yikes.   F-Secure and Kaspersky were included for comparison.   The commercial apps detected 50% of the malware on an on-demand scan and blocked all malware on attempted install.

Then we had Chris DiBona’s blog post (or should I say Google+ post) in which he lets his zeal for open source completely whitewash any security concern on any phone (besides Windows of course).

He ignores issues with trojaned apps because they will eventually be found and removed from the app store.   By that time you’ve already fallen prey to the malicious app stealing the login credentials you use on the banking app.   But that’s ok.   The Operating System wasn’t infected so it must not have been a virus (huh?).

I think the article would have been better with less venom and open source bluster. 

Then we hear from Fortinet that Android malware surges in 2011.   This makes sense that malware would see an uptick as adoption increases.  

While the numbers aren’t huge the uptick is interesting.   The type of attacks may be limited by the mobile phone security model but that doesn’t indicate they are malware free.

  • Geinimi – Android’s first botnet
  • Hongtoutou - a trojan wallpaper.   Steals IMEI and IMSI
  • DroidKungFu – information stealer, botnet
  • JiFake – fake IM app, toll fraud
  • BaseBridge – toll fraud

As we discuss corporate security policies for mobile phones we need to consider the applicability of antivirus requirements.    While it is important to look out for marketing FUD, we dont need to take the Bagdad Bob position and claim there is no malware on mobile operating systems either.

While today’s Android malware is applications that are trojaned or installed by the user through social engineering, that doesn’t mean that will always be the case.    The question I have is does the antivirus operate at a level where it could detect OS level infections or is it really only a “malicious app” checker.

Paid antivirus for android generally comes with other features such as phone locator and toll fraud prevention that may make it desireable.

update – Bruce Schneier weighs in with a post on Android malware.  He links to a Juniper blog post continuing an issue of Android malware rooting the phones because they dont get patched.

Category: Antivirus  |  1 Comment

SEP 12.1 RU1 Released

November 18, 2011, 4:07 pm

Symantec Endpoint Protection 12.1 RU1 is out.   The list of fixes and features is here.

I upgraded my test server no problem.   That is the server where everything always works out fine.

SEP 12.1 RU1 is version 12.1.1000.157.    The previous version was 12.1.671.4971.   So of course when you log into SEPM, click on admin and Client Install Package, you sort by the version column and 12.1.671 is on top rather than 12.1.1000.    Sigh.     If I were picking version numbers, I would be careful to avoid numbers that often don’t sort correctly.    So I’ll have to sort by the “created time” column to make sure I’m working with the correct package.  

What’s New:
Mac Lion 10.7 support
Better support for mobile broadband adaptors that use NDIS6
Browser IPS for Firefox 5,6,7.  

None of the fixes jump out at me as something I’ve seen.

Tags: , ,
Category: Antivirus  |  Comment

Symantec vs the LastPass Update

November 5, 2011, 1:42 pm

A new version of the Lastpass toolbar was released late this week, and I dutifully installed it on my systems.  During the installation, I was prompted by Symantec that less than 5 computers have been seen with this file thus I should only install it if I am sure it is safe.   I clicked allow and continued the install.   After the install winbiostandalone.exe was detected as Suspicious.Cloud.5.

According to Symantec:

Suspicious.Cloud.5 is a detection technology designed to detect entirely new
malware threats without traditional signatures. This technology is aimed at
detecting malicious software that has been intentionally mutated or morphed by
attackers.

So Symantec has become much more aggressive at tagging unknown files as suspicious and also uses aggressive heuristics to block files that have “bad” behavior.   Symantec suggests that software developers submit their applications and new versions to https://submit.symantec.com/whitelist/isv/.   Unfortunately it looks about as responsive and communicative as submitting to the app store.   The form says it will take “a number of weeks” to whitelist software and you won’t hear back if your request is denied.   If your application development includes a Release to Manufacturer period then you might have time for this delay.   When you’re just releasing an update, I can’t imagine waiting on Symantec to whitelist you app.    I can’t imagine a true application whitelisting  app like Bit9 taking so long.

The file winbiostandalone.exe, according to the LastPass forum thread discussing this issue, is used with the fingerprint reader.   So if you don’t use a fingerprint reader with LastPass you can just ignore this.   I submitted the file detection as a false positive, but from what the Symantec forum says it is now a 72 hour turnaround for that report.

So what do you do?   As an individual, you probably just ignore it.   It is not an actual virus.   An enterprise SEP admin could add whitelisting of the files involved and the download site.   What about other applications.   As I roll out SEP 12.1 to more employees, I figure I’ll be seeing a lot more of issues like this.

Tags: ,
Category: Antivirus  |  1 Comment

Symantec Report on Chemical Industry Phishing

November 2, 2011, 12:33 am

Symantec published a report earlier this week about an attack on the Chemical Industry.   They call this attack Nitro.

In one example of the attack, an encrypted 7zip file is used.   Encryption prevents scanners from examining the contents of the file.

Some SMTP gateways, block encrypted files by default.   Most places find that hurts productivity more than it helps.

PhishMe asks if your employees have been trained on how to respond to password protected files.   Their phishing training can cover this.

A third option is to look at a vender who will use every word in the message body as a password on the encrypted file.   This doesn’t help in attacks where the password is in a second email.   One could also wonder if you’re specifically targeted will the attacker try to obfuscate the password in some manner so it one pattern is visible to the user while a computer would read it a different way.   Would a passphrase confound this type of attack?   Obviously the file must be detectable as a virus by whatever Antivirus you are using as well.

The most basic phishing awareness would foil the pictured email.   No major vender would be mailing you patches.

Tags: ,
Category: Antivirus  |  Comment

More Fun with SEP GUIDs.

October 15, 2011, 10:18 pm

After fighting with duplicate hardware IDs in Symantec Endpoint Protection not that long ago, it was surprising to find the problem back again.   Were these left over from the original problem, or was this a return engagement.   And if it was a problem cropping up again, was it caused by someone forgetting to do the ghost load correctly or something else?

Symantec Endpoint Encryption uses a hardware ID as a GUID to differentiate clients.   If a GUID is cloned to multiple computers your reporting and policies are affected.   We tend not to find these problems until we move a client to a new group and find other computers showing up in the new group instead.

It turns out the old SEP 11 instructions for preparing to clone a image don’t quite work with 12.1.     With SEP12.1 on Windows 7 64 bit, we found an additional copy of sephwid.xml in C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\sephwid.xml.   It wasn’t mentioned in the SEP11 instructions, and every machine from the image ended up with the same hardware ID.   If you are manually fixing duplicate GUIDs keep that in mind.

It turns out there are instructions specifically for SEP12.1.

How to prepare a Symantec Endpoint Protection 12.1 client for cloning – http://www.symantec.com/docs/HOWTO54706

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients  – http://www.symantec.com/docs/TECH163349

 They don’t give manual instructions (at the time of this writing) on removing the hardware ID in 12.1, but they do provide a executable for the job.   I haven’t tested this exe out, but one thing bothers me.   The instructions say if you use tamper protection you must disable this.   If you require a password to stop the smc service you must disable that.    We don’t use tamper protection, but we do require a password to stop the smc service using the smc -stop command.  I wish they would allow me to provide the password at the command line as the sylink dropper tool can do.   The good news is that by setting up a separate policy for these clients in order to disable the password requirement to stop the SMC, you can then identify the remnant accounts based on the duplicate hardware ID that could be deleted.

Tags: ,
Category: Antivirus  |  1 Comment

SEPM Database Fun

September 30, 2011, 4:14 pm

Tuesday morning I received an email no Symantec Endpoint Manager admin wants to receive

From: SEPM_Server@ [mailto:SEPM_Server@]
Sent: Tuesday, September 27, 2011 12:13 AM
To: Roger
Subject: Database is down

Message from:
    Server name: asdfasdf
    Server IP: x.x.x.x    
The Symantec Endpoint Protection Manager database has gone down and needs immediate attention.

I went through several likely candidates in the Symantec KB but couldn’t find anything to fix the issue.   The database wouldn’t start.   As a side note, has anyone else had issues with many search results in the Symantec KB beign a “file not found”?

I ended up reinstalling SEPM and restoring a previous backup because I couldn’t get anything else to work.

The fun didn’t end there.   The next day at the same time (midnight) the database died again.   This time I called support first thing rather than after me trying many solutions.   It was the same as the day before.   Really nothing they knew how to do with the database down.   I did the same uninstall/reinstall database restore to get services back for the end users.   After hours, I installed from scratch and configured much of it by hand.    If you find your database backups are corrupt and need to do this.

1.   Export all the policy files and any other setting that is exportable.
2.  Make sure your configuration is up to date.   There are a lot of screens in SEPM but you’ll be glad you screenshot every last one of them and kept it up to date.
3.  Even without the database, you can use the recovery file so your clients are still able to check in.   Otherwise they’d need a reinstall or a sylink.xml.
4.  In the tomcat/etc directory under the SEPM install, edit conf.properties and change scm.agent.roupcreation to true.   Restart SEPM.   This allows clients to create the groups they were previously assigned to.   Otherwise all clients would end up in the default group.   Even after creating a new group, the group ID wouldn’t match and you would be stuck moving all clients manually.

I spent three long nights on this issue.    I was very glad to have “Essential” support so I could get support on the line outside business hours.    Hopefully this was a one time issue.   I suspect the database was a little hinky after the upgrade to 12.1.

Tags:
Category: Antivirus  |  4 Comments

Great Experience with Symantec Support

July 20, 2011, 12:15 am

I had the best experience with Symantec support today.   Late last night I put in a ticket for an issue with Endpoint Protection.   When I got into work this morning I heard back from a guy who tracked down the answer.   As I understand, he saw the issue in the wrong queue and snagged it.   I knew it was a tough problem, but he knew exactly what to do.  

I know it sounds dumb, but it was such a good experience, it really brighten my day and I had to tell someone about it.

Tags:
Category: Antivirus  |  Comment

SEP 12.1 Released

July 11, 2011, 11:08 pm

Symantec Endpoint Protection 12.1 was released on July 5th.   A post on Symantec Connect says they are deploying the upgrade licenses via snail mail and sending in alphabetical order.   To a certain extent, I can sympathize with a desire to not overwhelm support.   But I feel that people who participated in the beta program should be given access to the bits immediately.

I logged into https://licensing.symantec .com and selected Version Upgrade.  Next I selected “I Don’t Have an Upgrade ID”.   Select your customer number and select upgrade on the following screen.   If none of the one’s listed give you a SEP upgrade you’ll need to find your license pdf and use the customer number associated with the purchase of SEP. 

I then had a valid serial number to use at https://fileconnect.symantec.com.   After downloading the bits, I found that unfortunately SEP 12.1 is requiring me to use a license file.   I figured this might be coming.   in SEP11, Symantec required small business to use license files.   I haven’t had to use a license file since we started using Symantec Antivirus more than 10 years ago.   I feel like this is only an unnecessary complication.

Next I began working on an upgrade plan.   I currently am running SEPM on a Windows 2003 server.   This seems like a good time to change that to Windows 2008 R2.   One method would be to bring up a second server with Windows 2008 R2 and SEPM 12.1.   I prefer to keep my computers reporting to a server with the same name and IP.   That means I’ll be using a disaster recovery scenario.  

The first issue I’m finding is a lack of documentation for recovering SEP11 recovery files into a SEP12 server.  I’m thinking I may be better off upgrading the existing server to SEP 12.1 and performing a DR backup, then turn the server off and bring up the Windows 2008R2.    Another possibility is to put SEP11 on the Windows 2008R2 server and then upgrade it to SEP12.   I prefer to keep the new server “cleaner” than that.

I would think this would be a relatively common scenario.   But all I can find is the linked Symantec knowledge base article that states SEP11 DR files can’t be imported into the standard SEP12 DR files.   I understand that.  But I would still think it could be done manually.

I’ll be trying to get some more answers before doing the upgrade, even in the test environment.

Tags: ,
Category: Antivirus  |  1 Comment
« Previous Entries