Posts tagged ‘AntiSpyware’

« Previous Entries

Belt and Suspenders

July 7, 2011, 9:26 pm

CounterSpy end of life occurred on June 1st.   I saw a post from someone whose company runs both a commercial antivirus product and CounterSpy.   They were wondering what secondary product they could replace it with.   I’m having flashbacks to 2007.

In the mid-part of last decade mainstream antivirus products were slow to adjust to the onset of spyware.  User’s computers would routinely get loaded down with browser toolbars and software that would serve ads, hijack pages and steal data.   To combat this, products like PestPatrol and Webroot Spysweeper were deployed in the enterprise.   (CounterSpy came out just after I made a purchasing decision so it wasn’t evaluated).

Eugene Kaspersky wrote, “there is no such thing as spyware”.   He branded “spyware” a marketing term designed to sell new product when your existing anti-malware solution should be enough.   It was a controversial stance if only because the major antivirus venders in the US at the time were playing wait and see.    The few of them that stuck their toe in the water by detecting adware/spyware were sued.  The terms of service were plain as day the plaintiffs argued.  

Eventually we got to a point when, in my opinion, antispyware became redundant.   I’m surprised to see anyone still WANTING to implement/manage a second anti-mailware product, and that users would accept that overhead.    I think if you need a second anti-malware product, then the first isn’t doing very good job.

From the GFI link, it looks like they are offering free upgrades to VIPRE.   In the forum, it sounds like you could use that as a scheduled scan but you wouldn’t want to run two real-time antivirus scans at once.  

Obviously I think a single antimalware solution is more than capabile.   If yours isn’t, I would suggest looking at alternatives such as VIPRE, SOPHOS, and Symantec Endpoint Protection.

A more complimentary add-on would be url blacklisting.   I’ve written before about how a product like BlueCoat ProxyClient extends filtering to the laptops when they are outside the corporate network.   Some anti-malware products may even have something like that natively.

What do you think?   Are secondary scanners necessary for every day use?

Tags:
Category: Spyware  |  2 Comments

SEP 11.0.6

April 15, 2010, 12:29 am

Symantec Endpoint Protection 11.0.6 is available on fileconnect. The release notes are here.
Release Highlights

•”Symantec Protection Center v1.0″ introduces a centralized management console with single sign-on to integrated Symantec applications including Endpoint Protection, Brightmail Gateway, Data Loss Prevention, Web Gateway, Critical System Protection, and IT Analytics
•”SEP Manager Web Console” delivers web-based access to SEP Manager in addition to the legacy JAVA console
•”SEP for Mac” provides integrated management and reporting of Mac and Windows clients in the SEP Manager
•Randomizing scan start time improves support for clients in virtualized environments
•The Symantec Endpoint Recovery Tool allows customers to scan and remove malware from client computers that the SEP client is unable to remediate effectively
•Enhanced default Antivirus and Antispyware security settings make SEP more efficient at detecting malware
•Includes over 155 customer reported defects

One of the defects may be one I’ve had a case open on for more than a year.
Auto Location Switching does not recognize 144 Mb/sec 802.11n connections
Fix ID: 1927272
Symptom: Auto Location Switching does not switch a client to a 144Mbs wireless connection
Solution: Added support for a 144Mbps wireless connection.
I’m hopeful that this will solve the location awareness issues when 802.11n is used. I’ve been told that wouldn’t be fixed until RU6MP1. But we’ll see what this does.
Another writeup of on the release is here.

Tags: , , , ,
Category: Apple  |  Comment

VanMorrison.com Iframe

October 21, 2009, 3:55 pm

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.

Tags: , , ,
Category: General  |  5 Comments

Firefox to Suggest Flash Updates

September 6, 2009, 6:29 pm

Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding “Now we just need to convince Hillary Clinton to let the Department of State use Firefox.”
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism’s delivery method as shown in Wolfgang’s screenshot primes phishing victims.

Tags: , ,
Category: General  |  Comment

MessageLabs HTTP Security Webcast

January 29, 2009, 9:28 pm

I watched a MessageLabs HTTP Security Webcast earlier today. I have evaled their product both when they were reselling Scansafe and once since they implemented their own solution.
As anyone reading this site already knows, there was a big uptick in malware served by legitimate sites at the end of 2008. SQL injection and other tricks were used to get malicious code to load from legitimate websites. The old advise about “dont click on this or that” just doesn’t work when its a common site compromised to serve the malware.
Spyware is even more sneaky. They use boxes that appear to be Windows Update. They pretend to be a needed codec. They masquerade as security software. They even get accepted as advertisements on legitimate banner ad networks.
As user details are stolen (such as in the Monster.com hack) or voluntarily disclosed on social network sites, a treasure trove of material for a targeted attack is put into the bad guys hands. That combined with public data found on genealogy sites and voter registration rolls, makes it possible to craft emails that appear to be legitimate because they already know so much about you. The questions used to reset the password on your accounts are easy to find answers to as many celebrities have experience much to their chagrin.
The need for advance web security is obvious. With MessageLabs web security, they use two antivirus engines and a pared down version of their Skeptic heuristic engine. Its my belief that this will provide better security than competitors.
What has kept me from implementing this solution in the past is the desire to avoid using a direct proxy. Transparent proxies work better in my opinion. MessageLabs provides a proxy for the corporate network so that internal usernames and IPs can make it to their logs (otherwise with NAT they’d only have your firewall IP as the source). I hear this proxy is a customized Squid proxy. While Squid supports WCCP, this is not something MessageLabs has supported to my knowledge. I looked at their instructions for Checkpoint to forward traffic transparently to MessageLabs. That did not solve the problem of their logs only having the firewall IP address.
While Direct versus Transparent is still a challenge, I did learn in this webcast that MessageLabs is going to be announcing a new feature next week that I’ve been looking forward to. While they didn’t say not to pass it on, I’m going to self-embargo. So hopefully I’ll get another blogging opportunity after I’ve check out the new features.

Tags: , , , ,
Category: General  |  Comment

Article:Flash Ads launch clipboard hijack

August 18, 2008, 7:08 pm

Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.
Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.
I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.
Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.
Then this guy says he’s seen it back in July.
The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.

Tags: , , ,
Category: Spyware  |  Comment

DNS Inkblot test

July 20, 2008, 1:25 pm

So Donna thinks that PC World is a victim of DNS Cache Poisoning.
What is the attack here? pcworld.com DNS resolves to 70.42.185.10 which according to an IPWHOIS is their IP address.
So what if removespyware.ru resolves to the same address. Unless they can modify the routing, I dont see what they’ve accomplished other than getting Donna to add the IP the Outpost firewall blacklist while invoking the name Dan Kaminsky.
If a site “malware.r.us” has a reputation for serving malware, and they change their DNS to resolve that URL to my website, why should my website be blocked. The biggest security problem here is the denial of service instigated by the Outpost personal firewall against a innocent website.
I guess when you’re looking for a DNS cache poisoning attack, everything looks like a DNS cache poisoning attack.

Tags: ,
Category: General  |  Comment

Sophos Endpoint Security Eval Thoughts

May 3, 2008, 1:17 pm

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating “sales lead” to themselves). Currently we’re using Symantec Antivirus 10. I’m looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I’ve been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I’ve also considered McAfee Total Protection because it has the McAfee HIPS technology.
Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.
When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.
1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.
Sophos’ answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.
This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn’t allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.
2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I’ll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).
I haven’t run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.
I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.
3. The Sophos install creates a local administrator account. Now I’m sure it has a very strong password, but I’m just not comfortable with my software creating a local admin account. Symantec didn’t do that. McAfee didn’t do that.
I’ve been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn’t matter if the rest of the eval is perfect, if Sophos can’t answer to my satisfaction why they are doing things this way and why it isn’t a problem, I can’t do with this product.
Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.
My sales engineer is out most of next week. I’m out Monday. I’ll post a followup when I get some answers back.

Tags: , , , , ,
Category: Antivirus  |  3 Comments

Fighting Back Against Identity Theft

March 2, 2008, 1:05 pm

In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)
The Postmaster General’s letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.
So many times when dealing with users the response is “I’ve got nothing to hide” or “I wont be a victim” or “I’ve got nothing worth protecting”. The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.
The FTC brochure has a link to the FTC’s Identity Theft Site.
The brochure has three key sections.
Deter

  • Shred financial documents and paperwork before you discard them
  • Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.
  • Don’t give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.
  • Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information
  • Don’t use an obvious password like your birth date, your mother’s maiden name or the last four digits of your social security number
  • Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.

Detect
Be alert to signs that require immediate attention

  • Bills that do not arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit for no apparent reason
  • Calls or letters about purchases you did not make

Inspect your credit report (www.annualcreditreport.com) and your financial statements.
Defend
Defend against ID theft as soon as you suspect it.

  • Place a “fraud alert” on your credit reports.
  • Close any account that has been tampered with or established fraudulently.
  • File a police report
  • Report the theft to the FTC

Common Ways ID Theft Happens:

  1. Dumpster Diving.
  2. Skimming – skimmers are a special device that steals your credit/debit card numbers.
  3. Phishing
  4. Changing your address
  5. Theft of wallet/purse, mail, records
Tags: , , ,
Category: Awareness, General  |  1 Comment

Symantec Endpoint Security 11

June 28, 2007, 9:00 am

Yesterday, I attended a webinar on Symantec Endpoint Security 11. It should be available for ondemand replay at some point on at symantec.com.
A lot of people including myself have been very negative about the Symantec product, virus detection rates, and product support. I’m actually starting to believe that Symantec is turning things around. Yes, I know this brief ray of hope will soon be crushed by more Symantec nonsense. But for now, for this blog entry, I’ll focus on the positive.
Symantec Endpoint Security, formerly code named Hamlet, is a single agent, single console solution. In the past people have implemented piecemeal solutions. So the clients have anti-virus products, antispyware products, and a personal firewall. Each of these products require a separate management point. They each require upgrades and management. There is a incredible cost to the old “best-of-breed” approach. Back then “kitchen-sink” solutions like Symantec Client Security were bloated beasts that weren’t the best at anything. McAfee Total Protection was the first vendor to grab my attention with a consolidated approach. Lets see what Symantec brings to the table.

  • Antivirus – as I’ve blogged about before, Symantec is doing much better on the AV tests.

  • Antispyware – Includes Veritas technology VxMS to detect rootkits. They feel this is superior to rootkit detection in other products. I’m not convinced though that the product is overall better in spyware detection than Webroot or Sunbelt. But it may be worth it to preserve resources.
  • Intrusion Prevention (Network and Host)
    Generic exploit blocking (currently in SCS)
    Proactive Threat Scan (from Whole Security)
    Deep Packet Inspection

  • Device Control – restrict data leakage (not a lot of info on this that I noted)
  • Symantec NAC

This is all with a single agent. According to the presenter McAfee is using multiple agents in its product.
They had some interesting memory baseline numbers:
Symantec Antivirus Corporate Edition – 62 MB
Symantec Client Security – 129 MB
McAfee Total Protection – 71 MB
Symantec Endpoint Protection 21 MB
That is a very significant number. We have been very concerned about each security solution adding a burden to the computer.
There is a public beta. To sign up for that, or for additional information, check out www.symantec.com/endpointsecurity.
This sounds interesting. Of course I would never install a dotZero release from Symantec. But about 6 months after release this could be of interest.

Tags: , , , ,
Category: Antivirus  |  3 Comments
« Previous Entries