RE: Strange servicepack.exe file (not service.exe) found.

From: Kolde, Jennifer E. (jkolde_at_nosc.mil)
Date: 12/18/03

  • Next message: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found." 
    To: 'John Ives' <jives@cchem.berkeley.edu>, incidents@securityfocus.com
Date: Thu, 18 Dec 2003 07:59:33 -0800

    Note that McAfee VirusScan (v7.1 Enterprise, not sure about others) includes
    an option to "Find potentially unwanted programs". If this option is
    selected (it is disabled by default) then McAfee will dutifully alert on
    "suspect" programs such as psexec.exe (from Sysinternals' PSTools). I have
    not fully tested the range of programs it will detect / not detect - but a
    quick check shows it will *not* alert on VNC, but it will alert on the
    Serv-U FTP daemon, for example.

    My own recent experience is that McAfee does a far better job vs.
    Symantec/Norton of detecting things (even though neither app is perfect),
    and the option above is a nice one to have...even if it's not a complete
    solution. You can always port scan your network to find out who's listening
    on 5800 (or other port o' choice) and check to make sure those folks
    *really* mean to be running something on that port.

    Regards,
    Jennifer Kolde

    -----Original Message-----
    From: John Ives [mailto:jives@cchem.berkeley.edu]
    Sent: Wednesday, December 17, 2003 4:09 PM
    To: incidents@securityfocus.com
    Subject: RE: Strange servicepack.exe file (not service.exe) found.

    There are two answers to this. The first is that it be a default option
    that can be turned off by support staff. the second is that IT staff could
    (while building their distribution system eg. ghost images, etc)
    pre-approve the supported app.

    Of course, my perspective is always clouded by the realities of supporting
    people on a university campus. This feature may not be necessary for
    corporations, but it would help us.

    John

    At 06:45 PM 12/17/2003 -0500, Rob Shein wrote:
    >I can't imagine this concept working. Imagine how users would react if VNC
    >were used in the workplace (as it is in some companies I know of), and it
    >popped up as a possible trojan or sign of compromise, because it's
    sometimes
    >used that way by hackers. End users, who are the majority of people using
    >antivirus solutions, are prone to overreaction and panic, particularly
    where
    >viruses are concerned. While giving the user more information and letting
    >them come to their own conclusion is theoretically the best way, actually
    >implementing that solution is going to cause massive problems from a
    support
    >perspective.
    >
    > > -----Original Message-----
    > > From: John Ives [mailto:jives@cchem.berkeley.edu]
    > > Sent: Wednesday, December 17, 2003 2:05 PM
    > > To: incidents@securityfocus.com
    > > Subject: RE: Strange servicepack.exe file (not service.exe) found.
    > >
    > >
    > > One of the things I have noticed with Symantec (and I am sure
    > > other vendors
    > > do the same thing) is that files that have both good and bad uses are
    > > considered good, no matter how rarely they are used that way.
    > >
    > > A better system would be a prompt informing the user of the
    > > file's name,
    > > location and any relevant information about its legitimate
    > > uses and asking
    > > if this was running intentionally. If so it should take a
    > > hash of the file
    > > and its directory path, archive that information to a file,
    > > digitally sign
    > > the file and use it as a reference whenever it does future
    > > scans. If it is
    > > not intentionally being run then quarantine it and notify the
    > > user that, if
    > > there are any problems they can un-quarantine the file by
    > > doing x y and z.
    > >
    > > This isn't an absolute answer, because it still relies on the
    > > user to make
    > > sound decisions, but it would help alleviate problems caused
    > > by legitimate
    > > files performing illegitimate actions.

    -------------------------------------------------
    John Ives, GCWN, GCIH, GSEC
    Systems Administrator
    College of Chemistry
    (510) 643-1033

    "If you spend more on coffee than on IT security, Then you will be hacked.
    What's more, you deserve to be hacked." - Richard Clarke

    Any opinions expressed are my own and not those of the Regents of the
    University of California.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found."

    Relevant Pages

    • (in the public interest). Fosters "Gripeline" (greedy sw company)
      ... The Reader Advocate Column ... decided after a recent encounter with trying to install a McAfee ... So you can listen to this reader discuss his McAfee support experience ... "It would seem they have NO free tech ...
      (sci.research.careers)
    • Re: No programs will open anymore, internet not working...
      ... Without having the internet or being able to access Help ... US customers for support. ... I am fairly certain the pop-up was from McAfee. ... Then, when I double click on various programs, nothing opens. ...
      (microsoft.public.windowsxp.general)
    • RE: Office 2007 documents slow to open - updated
      ... tracked the problem to McAfee I contact McAfee support and arranged a WebEx ... Then the file opens. ... Microsoft Global Technical Support Center ...
      (microsoft.public.office.misc)
    • Re: Which Anti Virus Works Best With Vista
      ... To support my assertions on the possibilities of McAfee not paying attention or catching something, please look over this information from ICSA ... This is an obvious exaggeration, since that would mean from 1989 to today, and until 2000, all of the successful tech that I knew had Norton on the top of their list as the best. ... If your coffee maker makes coffee but explodes if you use columbian beans while no other coffee maker does, it sucks as a product even if you personally never use columbian beans so you haven't blown it up yet. ...
      (microsoft.public.windows.vista.general)
    • Re: Which Anti Virus Works Best With Vista
      ... I learned Programming of Basic on a TRS-80 and learned to test circuit boards on XT. ... Now, if you like, I can provide you with the McAfee archives and forums links, as well as various tech forums, where people have had issues with McAfee. ... I can even provide you with links to support for Comcast, who provided McAfee as their AV choice so that you can look over the fact that over the past 5 years they have had increasing issues with the McAfee AV. ... For over a decade, ICSA Labs, an independent division of Verizon Business, has been the security industry's central authority for research, intelligence, and certification testing of products. ...
      (microsoft.public.windows.vista.general)