Security Basics mailing list archives
Re: McAfee Anti Virus V4.5.1 SP1
From: "Robert Slade, Threat Response Manager" <rslade () fortinet com>
Date: Thu, 27 Nov 2003 12:37:18 -0800 (PST)
We have had 3 or 4 machines come up infected with Nachi today but the on access scanner didn't pick it up. Carrying out a full system scan did pick it up.
Not terribly surprising. First of all, Nachi (and a great many others of its ilk) is a worm, acting specifically by making an attack on a vulnerability in an application or an operating system. In this case, it is, as you note, making RPC calls. (Turning off DCOM with something like dcomcnfg will prevent the attack from succeeding, and shouldn't create any problems unless you are using an MS Exchange mail server.) Nachi creates the files you note, but it does not necessarily read them. Generally on-access scanners shortcut scanning (in order to improve performance) and therefore the scanner will probably never scan the files. The full scan, as you noted, does. (In addition, on-access or other "automatic" scanners are always much less effective and accurate at detection in comparision to the base manual versions.)
Anyway... I'm trying to figure out why McAfee on access scanner isn't picking these files up but the full system scan is. There is no difference in the setup we have between on access or full scan.
Hope this explains matters. -- rslade () sprint ca rslade () fortinet com p1 () cheerful com rslade () vcn bc ca victoria.tc.ca/techrev/secgloss.htm sun.soci.niu.edu/~rslade/mnbk.htm Vancouver office +1-604-430-1297 ext. 823 fax: +1-604-430-1296 http://media.poly.edu/realmedia/electrical/eesem2003/eesem2003_11_06.ram --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: McAfee Anti Virus V4.5.1 SP1 Eric Coulombe (Nov 28)
- <Possible follow-ups>
- Re: McAfee Anti Virus V4.5.1 SP1 Robert Slade, Threat Response Manager (Nov 28)
- Re: McAfee Anti Virus V4.5.1 SP1 Nick FitzGerald (Nov 28)
- RE: McAfee Anti Virus V4.5.1 SP1 Pour, Matthew (Nov 28)
- RE: McAfee Anti Virus V4.5.1 SP1 Pour, Matthew (Nov 28)
- Re: McAfee Anti Virus V4.5.1 SP1 Jimi Thompson (Nov 28)
- McAfee Anti Virus V4.5.1 SP1 Mike (Nov 28)
- Re: McAfee Anti Virus V4.5.1 SP1 Lou (Nov 28)