Educause Security Discussion mailing list archives

Re: Exchange Server Virus Scanning

From: "Hall, Rand" <rand () MERRIMACK EDU>
Date: Fri, 17 Feb 2006 12:52:20 -0500

it only took one variant to slip past to create a
damned nuisance.


* I still don't think you're getting the point.

McAfee's buffer overflow protection was 6 for 6. It doesn't much matter
how well you do heuristically in that case.**

Again, timeliness is often a bogus metric. If a virus is not widespread
does it matter how quickly a signature's written for it?

Cheers,
Rand

*Mmmm, ;-)
**Though, even at 2 for 6 they were better than the competition ;-p
--
Rand P. Hall * Director, Network Services
Merrimack College * SunGard Higher Education
315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
Fax 978-837-5434 * rand.hall () merrimack edu * www.sungardcollegis.com

CONFIDENTIALITY:  This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited.  If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.

-----Original Message-----
From: Graham Toal [mailto:gtoal () UTPA EDU] 
Sent: Friday, February 17, 2006 11:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Exchange Server Virus Scanning

Mmmm, I think you may have missed the point. That being, 
speedy updates are not always as relevant as you might think.


Well, the same av-test.org tests show something interesting:
( http://www.pcmag.com/article2/0,1895,1850851,00.asp )

There were 6 different programs released to exploit MS05-039
some time back; McAffee only detected 2 of the 6 proactively,
i.e. before signatures were updated.  Given the numbers of
all of these that were floating around, it only took one
variant to slip past to create a damned nuisance.

The heuristic scanning is dodgy at best and a pain in the
rear at worst, when it picks up false positives.

I do agree that retroactively chasing specific binaries
through signatures is doomed in the long term, but I
don't think that anything McAffee is currently doing is
a good alternative; at least not good enough to recommend
them over other AV vendors with better response times.


Graham

Current thread:

Re: Exchange Server Virus Scanning, (continued)
- Re: Exchange Server Virus Scanning Wehner, Paul (wehnerpl) (Feb 16)
- Re: Exchange Server Virus Scanning Flagg, Martin D. (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Michael_Maloney (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Wehner, Paul (wehnerpl) (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Tim Rhoades (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Alan Amesbury (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Jeremy Mooney (Feb 17)