Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: McAfee Anti Virus V4.5.1 SP1

From: LordInfidel <LordInfidel () Directionweb com>
Date: Sat, 29 Nov 2003 11:17:25 -0500
I'm going with the misconfiguration.

In it's default install state, NAI's AV will not do the trick.

Just enabling the system scan is not enough, in fact the system scan
is worthless when it comes to picking up incoming viruses.

For that you need to set the following.

1. E-mail scan (corporate if you are running group ware, Internet for
pop/imap)
        a. I enable both.  It gives you more options.
        b. Scan all atachments and compressed files
        c. Advanced
                1. enable heuristics
                2. enable macro and program file heuristics

2. Download Scan
        a. All files
        b. compressed files
        c. Advacned (same as above)

3. Internet filter
        a. Check all 5 boxes.  (although the filters are purely optional)

Also set your automatic updates to daily and enable randomization

-----Original Message-----
From: Mike [mailto:mjcarter () ihug co nz]
Sent: Friday, November 28, 2003 1:02 AM
To: security-basics () securityfocus com
Subject: McAfee Anti Virus V4.5.1 SP1


Hi All,
I have a question and  I can't get an answer from the vendor, their support
is not free for this question.
We have had 3 or 4 machines come up infected with Nachi today but the on
access scanner didn't pick it up. Carrying out a full system scan did pick
it up.

I found the infected machines by going through Black Ice logs on my local
machine that showed RPC scans and then connecting to the remote machine's
C:\winnt\system32\wins directory and scanning the dllhost.exe and
svchost.exe files.

I don't have access to any kind of network scanner, our security policy
doesn't allow me to use them (I'm just a field ops support person).

Anyway... I'm trying to figure out why McAfee on access scanner isn't
picking these files up but the full system scan is. There is no difference
in the setup we have between on access or full scan.

Everything is up to date, including the MS patch levels, but that's another
story.

Is there another variant that might be stopping the on access scanner ???

Any ideas?

Thanks

Mike



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: