Posts tagged ‘Antivirus’

« Previous Entries

SEP 12.1 RU1 Released

November 18, 2011, 4:07 pm

Symantec Endpoint Protection 12.1 RU1 is out.   The list of fixes and features is here.

I upgraded my test server no problem.   That is the server where everything always works out fine.

SEP 12.1 RU1 is version 12.1.1000.157.    The previous version was 12.1.671.4971.   So of course when you log into SEPM, click on admin and Client Install Package, you sort by the version column and 12.1.671 is on top rather than 12.1.1000.    Sigh.     If I were picking version numbers, I would be careful to avoid numbers that often don’t sort correctly.    So I’ll have to sort by the “created time” column to make sure I’m working with the correct package.  

What’s New:
Mac Lion 10.7 support
Better support for mobile broadband adaptors that use NDIS6
Browser IPS for Firefox 5,6,7.  

None of the fixes jump out at me as something I’ve seen.

Tags: , ,
Category: Antivirus  |  Comment

SEP 11 RU6 MP3 Released

March 29, 2011, 11:28 pm

Symantec released Maintenance patch 3 for SEP 11.0.6. this week.

Changes and fixes are listed in the Symantec knowledge base.

Release notes are here.

Tags: , ,
Category: Antivirus  |  Comment

Win7 SP1 SEP Support

March 29, 2011, 11:13 pm

Ouch!

Symantec has posted a knowledge base article.   Symantec Endpoint Protection will not support Service Pack 1 for Windows 7 or Windows 2008 R2 until SEP 11.0.7 (11.0 Release update 7).

There are no known issues.   They just aren’t going to certify it until 11.0.7.

Tags: , , ,
Category: Antivirus  |  Comment

Symantec Endpoint Protection 12 Announced

February 15, 2011, 7:23 pm

Today Symantec pre-announced Symantec Endpoint Protection 12.  You can sign up for the public beta now, although the beta bits are not immediately available.   It wasn’t stated whether this beta includes the server install or if it is client only. (update  - Good news! Symantec commenter reports beta will be the full install and not client only).   The full release is “later this year.”  

Why are we excited about this?   SEP11 has grown a bit long in the tooth.   While it gave vast performance improvements over Symantec Antivirus 10, the natives are growing restless.    SEP12 offers performance improvement, improved protection and is better designed for the virtualized environments found in many data centers.

The list of what’s new is at the link above, and then click on the what’s new tab.

Tags: , ,
Category: Antivirus  |  3 Comments

Why Microsoft cannot open Windows Update to third-party developers

February 7, 2011, 7:43 pm

This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update.  (He uses the older term “Windows Update” which is for Windows products only.   Microsoft Update is the term for the update server for the broader group of Microsoft products).  He argues, there are so many vulnerabilities that it is time consuming to keep up with it all.   Additionally it is difficult to verify the source of programs.  

The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.  

Microsoft actually does include some third-party developed things in Microsoft Update.   They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port.   Windows can updates drivers from Microsoft Update.   In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.  

That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.

ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft.   Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth.   I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.  

As the ESET blog posts say, this is a rare event.   I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update.   This is why MIcrosoft cannot open Microsoft Update to third-party developers.

Tags: , ,
Category: Antivirus, Microsoft  |  6 Comments

Adobe Reader X Protected Mode and Antivirus

November 19, 2010, 8:59 pm

The sandbox functionality in Adobe Reader X is known to conflict with some antivirus products. 

I’ve installed Reader X at home with no issues.      A post in the Symantec Connect forums indicates Adobe Reader X cannot open on computers that use the Network Threat Protection component of Symantec Endpoint Protection.   The workaround for the moment is to disable Reader’s protected mode.    I don’t use Network Threat Protection at home which is why I didn’t see any issues there.

Tags: , , ,
Category: Antivirus  |  1 Comment

PDF Virus spammed

July 1, 2010, 4:33 pm

We’re seeing emails with the subject “phone calls” and “setting for your mailbox are changed” getting detected as bloodhound.exploit.290.  That’s a generic detection for a Adobe Reader PDF exploit.

Tags: , , ,
Category: General  |  Comment

Email Message Size Limits – The Update

May 19, 2010, 9:06 am

The Microsoft Exchange team wrote a blog back in 2006 summarizing the need to email message limits.
Email size limits help protect you against denial of service attacks. Intentional or not Internal sender or external, a large message can consume all available resources. The problem can be aggravated by Antivirus for Exchange. It only has so many processes and a traffic jam can occur while its trying to deal with this massive file.

Outbound messages may not even reach their destination. The public mail servers like Yahoo, Gmail and Hotmail limit their message size to 10-25 MB. Many companies protect themselves by putting these limits in place as well.
I dont think its too old school to say its bad netiquette to send large email messages.

Alternative methods like file servers and sharepoint are good internally. Externally companies need to be providing easy to use file transfer services. Otherwise users will end up using potentially insecure third party transfer websites like YouSendIt or even god forbid P2P.

When I wrote about message limits in October of 2006, I was hoping that we would end up with a 50 MB message limit at the mail gateway but guessed that we would end up with a 100 MB limit. Instead we ended up with a ludicrous 500 MB limit. As Microsoft says an outrageously large limit (to quiet the restless natives) is the same as the lack of mailbox and message size limits.

The high limits (and no limit internally) have caused multiple performance issues affecting availability this year. Management is now willing to put a (still really high) 50 MB on messages sent via Outlook, but they are not willing to put a better limit on incoming email. We’ve produced statistics showing the low number of messages that would be blocked. At a certain point you just document that management has accepted this risk.

As I finish writing this, I see the new Hotmail allows up to 200 50 MB attachments on a single email message. Still hard to attach a > 51 MB attachment. But this doesn’t actually change my point. This limit isn’t because of how I think the Internet should work. Its a technology limitation. Perhaps Exchange 2010 wont fall to its knees with a 100 MB message. Even so with no guarantee of the recipients server capabilities, I think its better to keep limits imposed.

Tags: , ,
Category: General  |  1 Comment

VPN Split Tunneling

May 12, 2010, 9:34 am

VPN Split Tunneling allows a user to VPN into the corporate network and pass data over the encrypted tunnel to the there while at the same time still talk to local resources and go directly to the internet. The alternative is to always tunnel and send almost everything through the VPN. The idea of always tunnel VPN is sacrosanct to many VPN admins and I believe it’s a requirement under NIST SP 800-53 rev3.

This issue comes up fairly often as a case of usability versus security. I’m not convinced that always tunnel buys you the security you think it does, and given the drawbacks to the user experience, perhaps it doesn’t need to be the default.

When always tunnel is used, you now need the bandwidth to bring in all remote traffic and send it right back out to the internet. Each download has a double penalty. On the other hand, most enterprises don’t have HTTP security at the desktop so this actually has a benefit of url and malware filtering.
If you don’t currently use the personal firewall to enforce the same outbound restrictions as the corporate firewall, always tunnel will cause more blocking while VPN connected. That could be a good thing as people will stay VPNed less often because they want to be able to connect to their ISP POP3 server.

In many scenarios always tunnel will mean the inability to access local resources like printers and file servers. There are often ways to allow the local subnet. But that only solves the home problem. Many VPN users are employees stationed at a customer site. They need (or at least want) to access resources on that network while VPNed in. For some that is exactly what they are trying to stop. The end uses will see always tunnel hurting their ability to work.
In many ways, I feel like VPN split tunneling is designed to solve problems from 5-10 years ago. Split tunneling would prevent the system from being managed by sub7. On the other hand, so would the personal firewall. Todays malware uses command and control that is outbound initiated and designed to hide in plain sight. Its going to connect outbound through your always tunnel VPN and out your firewall, and then get its answer back. If you have an IDS in the right places you might have a chance. If the connection is encrypted, all you can really tell is the computer talked to an IP that might or might not be suspicious.

Perhaps you’d be better off ensuring antivirus is working and up-to-date on all systems that connect via VPN.
If you’re starting a VPN for the first time, you have a chance to implement it with always tunnel with a lot less push back. That might be worth while if you have the bandwidth to support it. It is a much tougher to sell for an existing VPN connection implemented as a split tunnel.

Tags: ,
Category: General  |  6 Comments

Fake AV on Drudge

May 6, 2010, 10:35 am

I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.

File inst.exe received on 2010.05.06 14:31:04 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 -
AhnLab-V3 2010.05.05.00 2010.05.05 -
AntiVir 8.2.1.236 2010.05.06 TR/Fakealert.mnd
Antiy-AVL 2.0.3.7 2010.05.06 -
Authentium 5.2.0.5 2010.05.06 -
Avast 4.8.1351.0 2010.05.06 -
Avast5 5.0.332.0 2010.05.06 -
AVG 9.0.0.787 2010.05.06 -
BitDefender 7.2 2010.05.06 Trojan.FakeAlert.CCA
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.06 -
Comodo 4779 2010.05.06 -
DrWeb 5.0.2.03300 2010.05.06 Trojan.Fakealert.15369
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7471 2010.05.06 Win32/FakeAlert.E!generic
F-Prot 4.5.1.85 2010.05.06 -
F-Secure 9.0.15370.0 2010.05.06 Trojan.FakeAlert.CCA
Fortinet 4.0.14.0 2010.05.05 -
GData 21 2010.05.06 Trojan.FakeAlert.CCA
Ikarus T3.1.1.84.0 2010.05.06 -
Jiangmin 13.0.900 2010.05.06 -
Kaspersky 7.0.0.125 2010.05.06 Packed.Win32.Krap.ai
McAfee 5.400.0.1158 2010.05.06 -
McAfee-GW-Edition 2010.1 2010.05.06 -
Microsoft 1.5703 2010.05.05 -
NOD32 5091 2010.05.06 a variant of Win32/Kryptik.ECX
Norman 6.04.12 2010.05.06 -
nProtect 2010-05-06.02 2010.05.06 Trojan.FakeAlert.CCA
Panda 10.0.2.7 2010.05.05 Suspicious file
PCTools 7.0.3.5 2010.05.06 -
Prevx 3.0 2010.05.06 High Risk Cloaked Malware
Rising 22.46.03.04 2010.05.06 -
Sophos 4.53.0 2010.05.06 Mal/FakeAV-CZ
Sunbelt 6267 2010.05.06 FraudTool.Win32.SecurityTool (v)
Symantec 20091.2.0.41 2010.05.06 -
TheHacker 6.5.2.0.277 2010.05.06 -
TrendMicro 9.120.0.1004 2010.05.06 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.06 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.6.2304 2010.05.06 -
VirusBuster 5.0.27.0 2010.05.06 -
 
Additional information
File size: 887824 bytes
MD5…: 2e797ae47b533739a234ffd66d736a55
SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34
SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202
ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×1000
timedatestamp…..: 0x42f2757e (Thu Aug 04 20:07:26 2005)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×58000 0×57400 7.79 c8a376ad4f177f3ae434902b7b8f4a8f
.rdata 0×59000 0×1000 0×200 3.79 6d3e2283fc369479980764aca0706a36
.trash 0x5a000 0×80000 0x7f200 7.79 4579192af1340dc0f8377086beb4767c
.rsrc 0xda000 0xa3000 0×2000 5.14 00d9d5b447b6a0236d734be8ae5af459
.reloc 0x17d000 0×4 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 2 imports )
> ntdll.dll: DbgPrint, DbgPrompt, NtPulseEvent, RtlUlongByteSwap, atan
> KERNEL32.dll: GetModuleHandleA, CreateFileA, GetLastError, WriteFile, ReadFile, GetVersionExA, ExitProcess, CloseHandle, GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId

( 0 exports )
RDS…: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck:
publisher….: n/a
copyright….: n/a
product……: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…..: n/a
signers……: -
signing date.: -
verified…..: Unsigned
<a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a>

In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.

Tags: , , , ,
Category: Antivirus  |  Comment
« Previous Entries