Educause Security Discussion mailing list archives
Re: Exchange Server Virus Scanning
From: "Hall, Rand" <rand () MERRIMACK EDU>
Date: Fri, 17 Feb 2006 12:52:20 -0500
it only took one variant to slip past to create a damned nuisance.
* I still don't think you're getting the point. McAfee's buffer overflow protection was 6 for 6. It doesn't much matter how well you do heuristically in that case.** Again, timeliness is often a bogus metric. If a virus is not widespread does it matter how quickly a signature's written for it? Cheers, Rand *Mmmm, ;-) **Though, even at 2 for 6 they were better than the competition ;-p -- Rand P. Hall * Director, Network Services Merrimack College * SunGard Higher Education 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 Fax 978-837-5434 * rand.hall () merrimack edu * www.sungardcollegis.com CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. -----Original Message----- From: Graham Toal [mailto:gtoal () UTPA EDU] Sent: Friday, February 17, 2006 11:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Exchange Server Virus Scanning
Mmmm, I think you may have missed the point. That being, speedy updates are not always as relevant as you might think.
Well, the same av-test.org tests show something interesting: ( http://www.pcmag.com/article2/0,1895,1850851,00.asp ) There were 6 different programs released to exploit MS05-039 some time back; McAffee only detected 2 of the 6 proactively, i.e. before signatures were updated. Given the numbers of all of these that were floating around, it only took one variant to slip past to create a damned nuisance. The heuristic scanning is dodgy at best and a pain in the rear at worst, when it picks up false positives. I do agree that retroactively chasing specific binaries through signatures is doomed in the long term, but I don't think that anything McAffee is currently doing is a good alternative; at least not good enough to recommend them over other AV vendors with better response times. Graham
Current thread:
- Re: Exchange Server Virus Scanning, (continued)
- Re: Exchange Server Virus Scanning Wehner, Paul (wehnerpl) (Feb 16)
- Re: Exchange Server Virus Scanning Flagg, Martin D. (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Michael_Maloney (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Wehner, Paul (wehnerpl) (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Tim Rhoades (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Alan Amesbury (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Jeremy Mooney (Feb 17)