Re: virus got past mcafee viruscan 8.7

[Anand Narine <anand.narine () gmail com>]

Can anyone please recommend a good Host intrustion protection program
(HIPS) besides Mcafee's ?
That may be the way to go.

On Wed, May 6, 2009 at 9:06 PM, Jeffrey Walton <noloader () gmail com> wrote:
> Hi Michael,
>
> > Edit a common virus payload into an executable a
> > little ways past the 100th byte and upload it to
> > http://www.virustotal.com/ See for yourself how many of the AV engines
> > detect it.
> [Un]fortunately, I don't have any live payloads. However, running the
> EICAR test vector [1] did produce somewhat disappointing results. When
> the test string was placed at byte 64, only 5 scanners fired [2]. This
> dropped to 4 scanners when moved to offset 1024.
>
> I don't believe that extrapolating the results (to the 100th, 256th,
> 1024th byte...) is valid since EICAR specifies the first 68 bytes must
> be payload. But I would also expect that a scanner catch it where ever
> it is in an attempt to showcase their technology.
>
> In the end, the OP should get the malware submitted for analysis.
>
> Jeff
>
> [1] http://www.eicar.org/anti_virus_test_file.htm
> [2] http://www.virustotal.com/analisis/a5f9b85462298c92acf63db55cb29737
>
> On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:
> > I'm sorry, but I don't think a three year old (or more) book written
> > by an employee of an anti-virus vendor and published by said
> > anti-virus vendor is a reasonable third party reference as to whether
> > or not anti-virus is effective.  There's no need to debate the matter
> > as a theoretical.  Edit a common virus payload into an executable a
> > little ways past the 100th byte and upload it to
> > http://www.virustotal.com/ See for yourself how many of the AV engines
> > detect it.  Then do it before the 100th.  The difference in the two
> > should settle the matter for you far better than whatever I write
> > could.
> >
> > Anti-virus just isn't particularly effective anymore except against
> > very common or poorly written malware.  It's great for that, but if
> > you have any concern whatsoever about targeted malware, 0-days, or
> > have a real need to "catch everything" then you should be looking to
> > HIPS not AV.  Signatures and byte-by-byte checking can't keep up;
> > watching and protecting the stack sometimes can.
> >
> > As to the original question (which I probably should have answered
> > while ranting about how untrustworthy AV is):
> >
> > The AV software is most likely being denied the ability or the
> > opportunity to prevent the malware from sending the spam.  That
> > doesn't mean that the AV software cannot still stop you from telneting
> > outbound to 25.  So that verification is probably invalid.
> >
> > On Wed, May 6, 2009 at 2:54 PM, Jeffrey Walton <noloader () gmail com> wrote:
> > > Could you qualify this statement? I don't believe it accurately
> > > reflects the current state of the art in detection. For a survey, read
> > > Szor's 'The Art of Virus Research and Defense'. I'd suspect the
> > > malware is relatively new or otherwise has not been analysed. Perhaps
> > > the OP should submit the malware for analysis.
> > >
> > > Jeff
> > >
> > > On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:
> > > > Unfortunately, anti-virus isn't capable of stopping the most common or
> > > > basic of malware.  Simply moving the hostile payload beyond the first
> > > > hundred bytes or so of an executable is enough to prevent most AV
> > > > software from detecting/alerting.  Beyond that, the number of
> > > > third-party applications with serious vulnerabilities (Acrobat seems
> > > > to be this year's problem) means that relying on anti-virus to prevent
> > > > malware infection is likely to result in an unpleasant surprise.
> > > >
> > > > On Tue, May 5, 2009 at 7:49 PM, Anand Narine <anand.narine () gmail com> wrote:
> > > > > Hi all
> > > > > Our client workstations all have Mcafee antivirus installed, but a
> > > > > virus infected on particular pc
> > > > > and has been sending out spam by making outbound connections on port 25.
> > > > > Mcafee viruscan 8.7 blocks programs from making outbound connections
> > > > > on port 25 by
> > > > > default so how did the virus get past ? I verified that the mcafee was
> > > > > working since I could
> > > > > not telnet to any mail server on the internet via port 25.
> > > > >
> > > > > [SNIP]

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------