Symantec released Maintenance patch 3 for SEP 11.0.6. this week.
Changes and fixes are listed in the Symantec knowledge base.
Archive for the ‘Antivirus’ Category.
Win7 SP1 SEP Support
Ouch!
Symantec has posted a knowledge base article. Symantec Endpoint Protection will not support Service Pack 1 for Windows 7 or Windows 2008 R2 until SEP 11.0.7 (11.0 Release update 7).
There are no known issues. They just aren’t going to certify it until 11.0.7.
Symantec Endpoint Protection 12 Announced
Today Symantec pre-announced Symantec Endpoint Protection 12. You can sign up for the public beta now, although the beta bits are not immediately available. It wasn’t stated whether this beta includes the server install or if it is client only. (update - Good news! Symantec commenter reports beta will be the full install and not client only). The full release is “later this year.”
Why are we excited about this? SEP11 has grown a bit long in the tooth. While it gave vast performance improvements over Symantec Antivirus 10, the natives are growing restless. SEP12 offers performance improvement, improved protection and is better designed for the virtualized environments found in many data centers.
The list of what’s new is at the link above, and then click on the what’s new tab.
Why Microsoft cannot open Windows Update to third-party developers
This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update. (He uses the older term “Windows Update” which is for Windows products only. Microsoft Update is the term for the update server for the broader group of Microsoft products). He argues, there are so many vulnerabilities that it is time consuming to keep up with it all. Additionally it is difficult to verify the source of programs.
The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.
Microsoft actually does include some third-party developed things in Microsoft Update. They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port. Windows can updates drivers from Microsoft Update. In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.
That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.
ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft. Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth. I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.
As the ESET blog posts say, this is a rare event. I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update. This is why MIcrosoft cannot open Microsoft Update to third-party developers.
Wishlist for SEP 12.1
Symantec Endpoint Protection (SEP) 11 is getting long in the tooth. It was a huge step forward. But I’m starting to look forward to the next release. Symantec released a small business edition with version 12. So I’m calling the next version of SEP, SEP12.1. That isn’t official. Here’s a list of what I’d like to see in SEP11
Full 64 Bit Feature Parity
Enough is enough. With the release of Windows 7, 64 bit is starting to be adopted by regular users. Some companies have made 64 bit the standard for their Windows 7 corporate rollout.
Symantec does not currently support application and device control on 64 bit. Companies don’t want to have different levels of security for 32 versus 64 bit computers. We use the Device control part of Symantec to disable the wireless card when a wired connection is present. I see that as critical functionality. This is causing us to be unable to use 64 bit laptops. Further the helpdesk wanting to hold down complexity seems to be against 32 bit laptops and 64 bit desktops. To avoid twice the testing they want all 32 or 64 bit computers.
I can no longer find the knowledge base article, but I recall there being less keylogger protection in 64 bit SEP11 due to kernel protections by Microsoft. Not sure that one could be fixed without hooking the kernel outside of approved APIs. (not a good idea).
Wireless Management
As I mentioned, I use Application and Device Control to disable wireless cards when wired connected. This is an important security consideration to prevent the client from being attacked by someone in the parking lot while they are on our network.
The problem with the current method (besides the 64 bit issue I covered in the last section), is Symantec leaves it up to the SEPM administrator to manually add the device ID for each device they wish to block. This is decidedly not cool. Each time we start bringing in a new laptop model I need to update the block rule with the new device ID. It’s not just wireless cards. I’d like EVDO/3G wireless modems disabled as well. Symantec should be doing this in a more automatic way.
IPv6
Symantec Endpoint Protection 11 does not understand IPv6. With the built-in firewall you can only allow it or block it at the protocol level. You can not have rules based on source/destination addresses/ports. I don’t think I need to belabor the point. IPv4 address exhaustion is months away according to some reports. Some ISPs are already conducting IPv6 tests with end users.
IPv6 support is listed as in development and to be in the next major release.
To the Cloud
Symantec did rather well in Gartner’s December 2010 Endpoint Protection Magic Quadrant. I believe the in the cloud protection was even mentioned. The problem is in the cloud reputation scoring is currently only available for home users. I believe all of Symantec’s major competitors already use this sort of community scoring as an extra layer of protection, and have for some time.
With in the cloud protection, there is a community based reputation score assigned to files so they can be treated appropriately.
I understand Symantec is a big company, but it needs to innovate protection, not lag behind while using other parts of the company (consumer) as test beds for new engines and new techniques.
Performance Improvements
I know that Symantec Endpoint Protection was a big step up over Symantec Antivirus 10 in terms of performance. But that was many years ago. According to some comparison numbers Endpoint Protection could use some speed improvements. Not near the top of my list but worth mentioning.
Single Agent/ Single Console
Those of us using GuardianEdge for encryption are hoping to have a unified point of management. One agent to upgrade. One less thing to update, one less place to look for reports.
Some of these items are already listed at Symantec Ideas. Some of them, like IPv6, are already known to be in the next major release. At Symantec Connect, you can use the Ideas section to suggest a new feature or functionality, and vote or comment on other people’s suggestions.
I dont have a lot of complaints about SEP. I do hope that a few of these things get cleared up in the next version.
Adobe Reader X Protected Mode and Antivirus
The sandbox functionality in Adobe Reader X is known to conflict with some antivirus products.
I’ve installed Reader X at home with no issues. A post in the Symantec Connect forums indicates Adobe Reader X cannot open on computers that use the Network Threat Protection component of Symantec Endpoint Protection. The workaround for the moment is to disable Reader’s protected mode. I don’t use Network Threat Protection at home which is why I didn’t see any issues there.
Not even to my desk
Walking into work through the South Lobby this morning I passed three monitors that normally have traffic, weather and footage from a traffic camera. The traffic monitor displays traffic information from WTOP normally, but today it showed cgidoctor.com. This page advised the user on how to remove fake antivirus infections. Links to remove fake antivirus went to a second site containing malicious code.
The monitor is a touchscreen so I checked the history to see if anyone had been accessing something other than WTOP.com. While that wasn’t a in-depth check I think its safe to say that yet again WTOP served up a banner advertisement that contained Fake AV social engineering.
That normal sites will could attempt to send you malware via banner ads is not surprising to most people reading this site. Using URL filters and antivirus is necessary. A dose of common sense when the attack is trying to trick you into installing the virus rather than performing an exploit.
Authentium Command Antivirus False Positive
Authentium Command Antivirus on Friday detected a handful of Office documents as MSWord/Dropper.B!camelot. I ran a couple of the files through VirusTotal and found Authentium was the only company detecting the file as a virus. In some cases that would be a sign of being on the cutting edge of detection, but in this case its a sign of a false positive.
Friday, I tried to submit the false positives to Authentium using the instruction on their site but received to reply. Today I followed up and was told since I wasn’t a customer, they had no interest in fixing their false positive. I could however report the false positive to Microsoft who would then report it to them. Going to argue with Authentium support a bit more.
[update:]
This will be fixed in an update later today. Frustration relieved. Probably partially self-inflicted.
Fake AV on Drudge
I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.
| File inst.exe received on 2010.05.06 14:31:04 (UTC) | |||
| Antivirus | Version | Last Update | Result |
| a-squared | 4.5.0.50 | 2010.05.06 | - |
| AhnLab-V3 | 2010.05.05.00 | 2010.05.05 | - |
| AntiVir | 8.2.1.236 | 2010.05.06 | TR/Fakealert.mnd |
| Antiy-AVL | 2.0.3.7 | 2010.05.06 | - |
| Authentium | 5.2.0.5 | 2010.05.06 | - |
| Avast | 4.8.1351.0 | 2010.05.06 | - |
| Avast5 | 5.0.332.0 | 2010.05.06 | - |
| AVG | 9.0.0.787 | 2010.05.06 | - |
| BitDefender | 7.2 | 2010.05.06 | Trojan.FakeAlert.CCA |
| CAT-QuickHeal | 10.00 | 2010.05.04 | - |
| ClamAV | 0.96.0.3-git | 2010.05.06 | - |
| Comodo | 4779 | 2010.05.06 | - |
| DrWeb | 5.0.2.03300 | 2010.05.06 | Trojan.Fakealert.15369 |
| eSafe | 7.0.17.0 | 2010.05.05 | - |
| eTrust-Vet | 35.2.7471 | 2010.05.06 | Win32/FakeAlert.E!generic |
| F-Prot | 4.5.1.85 | 2010.05.06 | - |
| F-Secure | 9.0.15370.0 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Fortinet | 4.0.14.0 | 2010.05.05 | - |
| GData | 21 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Ikarus | T3.1.1.84.0 | 2010.05.06 | - |
| Jiangmin | 13.0.900 | 2010.05.06 | - |
| Kaspersky | 7.0.0.125 | 2010.05.06 | Packed.Win32.Krap.ai |
| McAfee | 5.400.0.1158 | 2010.05.06 | - |
| McAfee-GW-Edition | 2010.1 | 2010.05.06 | - |
| Microsoft | 1.5703 | 2010.05.05 | - |
| NOD32 | 5091 | 2010.05.06 | a variant of Win32/Kryptik.ECX |
| Norman | 6.04.12 | 2010.05.06 | - |
| nProtect | 2010-05-06.02 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Panda | 10.0.2.7 | 2010.05.05 | Suspicious file |
| PCTools | 7.0.3.5 | 2010.05.06 | - |
| Prevx | 3.0 | 2010.05.06 | High Risk Cloaked Malware |
| Rising | 22.46.03.04 | 2010.05.06 | - |
| Sophos | 4.53.0 | 2010.05.06 | Mal/FakeAV-CZ |
| Sunbelt | 6267 | 2010.05.06 | FraudTool.Win32.SecurityTool (v) |
| Symantec | 20091.2.0.41 | 2010.05.06 | - |
| TheHacker | 6.5.2.0.277 | 2010.05.06 | - |
| TrendMicro | 9.120.0.1004 | 2010.05.06 | - |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.05.06 | - |
| VBA32 | 3.12.12.4 | 2010.05.06 | - |
| ViRobot | 2010.5.6.2304 | 2010.05.06 | - |
| VirusBuster | 5.0.27.0 | 2010.05.06 | - |
| Additional information | |||
| File size: 887824 bytes | |||
| MD5…: 2e797ae47b533739a234ffd66d736a55 | |||
| SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34 | |||
| SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202 | |||
| ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU | |||
| PEiD..: - | |||
| PEInfo: PE Structure information
( base data ) ( 5 sections ) ( 2 imports ) ( 0 exports ) |
|||
| RDS…: NSRL Reference Data Set - |
|||
| pdfid.: - | |||
| trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
|||
| Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99 | |||
| sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: - signing date.: - verified…..: Unsigned |
|||
| <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a> | |||
In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.
