RE: McAfee Anti Virus V4.5.1 SP1

From: Pour, Matthew (mpour_at_bmc.com)
Date: 11/28/03

  • Next message: Keith Chng : "RE: filter ssl traffic" 
    To: "'Robert Slade, Threat Response Manager '" <rslade@fortinet.com>, "'mjcarter@ihug.co.nz '" <mjcarter@ihug.co.nz>
Date: Thu, 27 Nov 2003 17:52:27 -0600

    To add a bit more to this, Nachi tends to write itself in memory
    (DLLHOST.EXE), so VirusScan 4.5.1 will not pick this up. Durring the
    on-demand scan, it finds the two culprit files and deletes them.

    VirusScan 7.0 has a memory scanner, so as long as the definition file is
    current, it will catch Nachi before it writes to the drive.

    However, as stated below, it does not beat patching the system or disabling
    DCOM.

    -Matt

    -----Original Message-----
    From: Robert Slade, Threat Response Manager
    To: mjcarter@ihug.co.nz
    Cc: security-basics@securityfocus.com; focus-virus@securityfocus.com
    Sent: 11/27/2003 2:37 PM
    Subject: Re: McAfee Anti Virus V4.5.1 SP1

    > We have had 3 or 4 machines come up infected with Nachi today but the
    on
    > access scanner didn't pick it up. Carrying out a full system scan did
    > pick it up.

    Not terribly surprising.

    First of all, Nachi (and a great many others of its ilk) is a worm,
    acting
    specifically by making an attack on a vulnerability in an application or
    an operating system. In this case, it is, as you note, making RPC
    calls.
    (Turning off DCOM with something like dcomcnfg will prevent the attack
    from succeeding, and shouldn't create any problems unless you are using
    an
    MS Exchange mail server.)

    Nachi creates the files you note, but it does not necessarily read them.

    Generally on-access scanners shortcut scanning (in order to improve
    performance) and therefore the scanner will probably never scan the
    files.
     The full scan, as you noted, does. (In addition, on-access or other
    "automatic" scanners are always much less effective and accurate at
    detection in comparision to the base manual versions.)

    > Anyway... I'm trying to figure out why McAfee on access scanner isn't
    > picking these files up but the full system scan is. There is no
    > difference in the setup we have between on access or full scan.

    Hope this explains matters. 

    -- 
rslade@sprint.ca  rslade@fortinet.com  p1@cheerful.com rslade@vcn.bc.ca
victoria.tc.ca/techrev/secgloss.htm   sun.soci.niu.edu/~rslade/mnbk.htm
Vancouver office      +1-604-430-1297 ext. 823     fax: +1-604-430-1296
http://media.poly.edu/realmedia/electrical/eesem2003/eesem2003_11_06.ram
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Keith Chng : "RE: filter ssl traffic"