Security Basics mailing list archives
Fwd: virus got past mcafee viruscan 8.7
From: "Alan Strader`" <listnibbler () gmail com>
Date: Thu, 7 May 2009 14:06:54 -0500
I may have missed it but, I have not seen the information about what products you are using other than VSE 8.7. Are you using McAfee’s Anti-Spyware module or their Host Intrusion prevention for desktops? What engine and signature versions are you using, what is the patch level, are any ExtraDats installed? I also have not seen any indication of what this mysterious ‘virus/malware’ is other than `its sending spam`. Has a sample of this been submitted to VirusTotal, WebImune, or any other verification site? What files or processes are involved? What are you seeing that indicates that it is actually sending spam from this machine? Do you see this activity in your mail server logs? Are you seeing blocked messages at your firewall? Is it using an outside mail server? I would assume that since you stated that you could not telnet out on port 25 that you have the Access Protection module enabled. How is your port blocking policy configured. What processes are in the permitted list for port 25? Since this list is named security-basics, can work with some basic facts and less speculation. Let’s try to help out and provide direction to resolve the problem, not just through out stuff to debate.
Can anyone please recommend a good Host intrustion protection program
(HIPS) besides Mcafee's ?
That may be the way to go.
On Wed, May 6, 2009 at 9:06 PM, Jeffrey Walton <noloader () gmail com> wrote:
Hi Michael,
Edit a common virus payload into an executable a
little ways past the 100th byte and upload it to
http://www.virustotal.com/ See for yourself how many of the AV engines
detect it.
[Un]fortunately, I don't have any live payloads. However, running the
EICAR test vector [1] did produce somewhat disappointing results. When
the test string was placed at byte 64, only 5 scanners fired [2]. This
dropped to 4 scanners when moved to offset 1024.
I don't believe that extrapolating the results (to the 100th, 256th,
1024th byte...) is valid since EICAR specifies the first 68 bytes must
be payload. But I would also expect that a scanner catch it where ever
it is in an attempt to showcase their technology.
In the end, the OP should get the malware submitted for analysis.
Jeff
[1] http://www.eicar.org/anti_virus_test_file.htm
[2] http://www.virustotal.com/analisis/a5f9b85462298c92acf63db55cb29737
On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:
I'm sorry, but I don't think a three year old (or more) book written
by an employee of an anti-virus vendor and published by said
anti-virus vendor is a reasonable third party reference as to whether
or not anti-virus is effective. There's no need to debate the matter
as a theoretical. Edit a common virus payload into an executable a
little ways past the 100th byte and upload it to
http://www.virustotal.com/ See for yourself how many of the AV engines
detect it. Then do it before the 100th. The difference in the two
should settle the matter for you far better than whatever I write
could.
Anti-virus just isn't particularly effective anymore except against
very common or poorly written malware. It's great for that, but if
you have any concern whatsoever about targeted malware, 0-days, or
have a real need to "catch everything" then you should be looking to
HIPS not AV. Signatures and byte-by-byte checking can't keep up;
watching and protecting the stack sometimes can.
As to the original question (which I probably should have answered
while ranting about how untrustworthy AV is):
The AV software is most likely being denied the ability or the
opportunity to prevent the malware from sending the spam. That
doesn't mean that the AV software cannot still stop you from telneting
outbound to 25. So that verification is probably invalid.
On Wed, May 6, 2009 at 2:54 PM, Jeffrey Walton <noloader () gmail com> wrote:
Could you qualify this statement? I don't believe it accurately
reflects the current state of the art in detection. For a survey, read
Szor's 'The Art of Virus Research and Defense'. I'd suspect the
malware is relatively new or otherwise has not been analysed. Perhaps
the OP should submit the malware for analysis.
Jeff
On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:
Unfortunately, anti-virus isn't capable of stopping the most common or
basic of malware. Simply moving the hostile payload beyond the first
hundred bytes or so of an executable is enough to prevent most AV
software from detecting/alerting. Beyond that, the number of
third-party applications with serious vulnerabilities (Acrobat seems
to be this year's problem) means that relying on anti-virus to prevent
malware infection is likely to result in an unpleasant surprise.
On Tue, May 5, 2009 at 7:49 PM, Anand Narine <anand.narine () gmail com> wrote:
Hi all
Our client workstations all have Mcafee antivirus installed, but a
virus infected on particular pc
and has been sending out spam by making outbound connections on port 25.
Mcafee viruscan 8.7 blocks programs from making outbound connections
on port 25 by
default so how did the virus get past ? I verified that the mcafee was
working since I could
not telnet to any mail server on the internet via port 25.
[SNIP]
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: virus got past mcafee viruscan 8.7, (continued)
- Re: virus got past mcafee viruscan 8.7 Phil Bieber (May 06)
- Message not available
- Re: virus got past mcafee viruscan 8.7 Phil Bieber (May 07)
- Re: virus got past mcafee viruscan 8.7 Jeffrey Walton (May 06)
- Re: virus got past mcafee viruscan 8.7 Michael Graham (May 07)
- Re: virus got past mcafee viruscan 8.7 Jeffrey Walton (May 07)
- Re: virus got past mcafee viruscan 8.7 Anand Narine (May 07)
- RE: virus got past mcafee viruscan 8.7 Lape, Steve (May 07)
- Re: virus got past mcafee viruscan 8.7 Mike Acker (May 08)
- RE: virus got past mcafee viruscan 8.7 Oliver Friedrichs (May 08)