In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.
Archive for the ‘Antivirus’ Category.
Staging Virus Definition Updates
Symantec False Positive in Flash install file
I noticed a bunch of computers reporting install_flash_player.exe as a Trojan Horse this morning. My first stop was the Symantec Forum where a bunch of users were already discussing this.
Since it appeared to be a false positive in an older install file for Adobe Flash, I set out to see which version of Flash was getting hit. Adobe has a archive of Flash players. I downloaded a zip with every version of Flash 10 and unzipped it to my hard drive. I got a detection on flashplayer10r22_87_win.exe. Once that was quarantined the easiest thing to do was go into my local quarantine, right-click and submit to Symantec.
A Symantec support employee points out the KB for false positives and the virus submission website https://submit.symantec.com/websubmit/gold.cgi. To use that I would have had to disable real-time protection, and unquarantine the file. So it was easier to submit from within Symantec. I’m running 1/27 r49 definitions.
SEPM Y2k.1
As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.
If you aren’t on top of this, you should be subscribed to Symantec emails here. I’d also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.
Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.
So far this has caused three problems that I care about.
1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the “old definition” group. The defined action was run live update once. That wasn’t too big a problem.
2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec’s liveupdate servers when on the Internet. It’s important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You’ll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem
3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we’re coming up fast on January 14th, I’ve disabled the notification. Of course any computer that isn’t on our network in the next couple of days wont get the new configuration.
Hopefully Symantec will get this issue resolved soon. Not sure why they couldn’t be ready to patch all SEPM builds at once. Why is MR3 so favored?
Antivirus Exclusions
For many years Microsoft has had an exclusion list of files and folder that antivirus should not scan. I’ve seen similar knowledgebase articles from antivirus venders. For some reason this became blogworthy over at TrendMicro. That has set off the usual echo chamber of anti-Microsoft handwringing. (wait a second an echo chamber of handwringing? exactly how loud is that? Stop mixing metaphors).
A lot of people have the knee-jerk reaction “oh no the virus writers will start putting their viruses there.” The TrendMicro blog entry isn’t as worried about the exclusions as he is about the public knowledge of the exclusions. “Now, although it actually makes sense to stop checking …we are concerned by the fact that this was released publicly.” I laughed out loud when I read that. Security through obscurity is no security at all. If you don’t tell antivirus administrators what to exclude from scanning just who are you going to be sharing this mystic secret with?
All the articles I’ve read imply that the only reason to make antivirus exclusions is performance. Exclusions can also be necessary to allow a product to work correctly. Data integrity is a valid reason for antivirus exclusion, I think.
Unlike what some people think, exclusions aren’t just for the performance of scheduled scans. On the contrary they more needed for real-time scan exclusion. Lots of files created in a folder and deleted, etc. That is a real time scan situation.
Microsoft’s KB is clearly aimed at system administrators not home users, in this writers opinion. Excluding a file from scanning is not a white flag of surrender. Endpoint security suites may still have IDS, proactive and firewall components. The malware will need to beat the antivirus to get on the system in the first place.
I guess I got my hand wringing out of the way on this one five years ago. Strangely TrendMicro did too. Their own knowledgebase has instructions with some recommended exclusions to solve problems with shaddowcopy and sql
Kaspkersky False Positive in gosearch.gif
Kaspersky is detecting gosearch.gif as Trojan.JS.ramif.a.
gosearch.gif is a standard magnifying glass icon used in Sharepoint as a search button.
I submitted this to Kaspersky and they concur its a false positive, so hopefully updated defs will be out shortly.
SEPM Upgrade Travails
Last night I started upgrading Symantec Endpoint Protection 11.0.4 to 11.0.5. I’ve been doing these upgrades since 7.0.1 and they rarely go smoothly this one did not disappoint. As with most of these debacles, the development server upgraded without an issue.
The production server looked like it installed cleanly until I went to start the SEPM service after the install. The service exited immediately after installing. I searched symantec.com/connect and symantec.com/techsupp (support forums and knowledgebase). I got some logs to check and things to verify, I did a repair install multiple times. Ultimately I didn’t see a solution.
Initiated the disaster recovery procedures documented in the knowledgebase (and in a corporate document I wrote). First I made sure that my backed up keys and passwords were still good. Then I uninstalled SEPM, and reinstalled it. As it was approaching 3:30 AM I decided to let the database restore run while I slept.
The next day I continued the DR procedures and found the GUI wouldn’t allow me to use what I thought the database password was. I unnecessarily went down the road to change the password through ODBC. It turned out I was using the wrong password. (which happened to use characters the GUI would not allow)
Once the database password was found, I had a new problem. I was restoring from a backup of the database. Of course the database has an old schema. I tried a couple things to get it to upgarde. I believe it was a upgrade.cmd file that did the trick.
At that point I was able to log into SEPM, I verified that my configuration was still there and my clients were able to report in.
The (hopefully) last little piece of this stuggle was finding 11.0.5 missing under client install packages. I believe the database restore was what caused that to go missing. I found instructions to manually import.
SEP 11.0.5
Symantec Endpoint Protection 11.0.5 is on Fileconnect. Release notes are posted here.
Symantec Dameware False Positive
“Symantec Security Response will post another set of LiveUpdate virus definitions today, 09/16/2009 at approximately 3PM Pacific. This posting is in response to a false positive (FP) on the ‘Dameware Remote Administration’ application. This FP was first released in definitions with version 20090915 rev.038 (Sequence 100395) IU. The detection has been corrected starting 20090916 rev.025 (Sequence 100419).”
Evaluating HTTP Security Solutions
While trying to eval a HTTP security solution I’ve been trolling for viruses by browsing Google Top Trends.
The vender advertizeing their zero day protection detects the virus even when virustotal has only one scanner detecting (and not one used by this vender). So they are showing off their zero day protection rather well. The problem I have is the incumbent protection which would not have detected the virus with AV was able to block the site completely with URL filtering.
I normally don’t think too much of URL filtering as protection anymore. Malware can be on legitimate sites. New sites that aren’t catagorized come online. But for my extremely small sample set, its actually providing the same level of protection.
SEP11 and MS090-35
The vulnerability scanner is finding a bunch of systems with %windir%\system32\atl71.dll version 7.10.5057.0 and the registry key HKLM\Software\Microsoft\VisualStudio\7.1. This indicates that the system may be MS09-035 vulnerable. The patched version of atl71.dll is 7.10.6101.0.
I also have some systems that dont have that registry key but have atl71.dll.
I decided to do some testing to determine how the file is getting on the computer. We haven’t rolled out Visual Studio .Net 2003, but clearly some application is putting it there.
A clean load of XPsp3 has no atl71.dll is present on the system. However after installing Symantec Endpoint Protection 11, I find that I have atl71.dll. This test system does not have the registry key.
So it appears that Symantec is using Microsoft’s ATL library and distributing a vulnerable version of the DLL.
I couldn’t find anything about this at the Symantec forums or in the knowledgebase. I may have to open a support ticket. I’m not sure I’m prepared for that kind of crap shoot today.
Symantec now has a knowledgebase article available. See comments on this post.
Symantec reports they are not actually vulnerable. A future version of SEP will have a updated file to avoid the detection by vulnerability scanner.
