Re: McAfee Anti Virus V4.5.1 SP1

• Previous message: Edward Monteiro: "Re: Samba"
• In reply to: Pour, Matthew: "RE: McAfee Anti Virus V4.5.1 SP1"
• Next in thread: Lou: "Re: McAfee Anti Virus V4.5.1 SP1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Nov 2003 11:02:23 -0600
To: "'security-basics@securityfocus.com '" <security-basics@securityfocus.com>

If I recall correctly, this version of McAfee can be configured to scan
any hard drives as well as memory periodically. I know that we
typically set the servers to scan at 4am (to avoid our back up process)
and desktops to scan at midnight every day just to catch this type of
thing. We also set the virus definitions to self update at 11pm every
day. In addtion, we deployed the ePolicy Orchestrator so that we can
manage the anti virus stuff from a single console. You do NOT need the
the ePolicy Orchestrator to make the configuration for the above, but if
you don't have then it means going out and physically touching all the
machines to make sure that they are set correctly. It also becomes
slightly problematic to keep the user from changing settings or
disabling the scanning completely.

The next thing to deal with is going to be your patch management
process. Obviously, something has gone quite wrong with it. You are
going to have to find out why the machines were vulnerable to this. Did
the patch not apply properly? Did they not get the patch? There are
some questions here that really need to be answered.

Third, how did this thing get on your network in the first place? Why
didn't your IDS pick the intital infection?

Good Luck,

Jimi

Pour, Matthew wrote:

>To add a bit more to this, Nachi tends to write itself in memory
>(DLLHOST.EXE), so VirusScan 4.5.1 will not pick this up. Durring the
>on-demand scan, it finds the two culprit files and deletes them.
>
>VirusScan 7.0 has a memory scanner, so as long as the definition file is
>current, it will catch Nachi before it writes to the drive.
>
>However, as stated below, it does not beat patching the system or disabling
>DCOM.
>
>-Matt
>
>-----Original Message-----
>From: Robert Slade, Threat Response Manager
>To: mjcarter@ihug.co.nz
>Cc: security-basics@securityfocus.com; focus-virus@securityfocus.com
>Sent: 11/27/2003 2:37 PM
>Subject: Re: McAfee Anti Virus V4.5.1 SP1
>
>
>
>>We have had 3 or 4 machines come up infected with Nachi today but the
>>
>>
>on
>
>
>>access scanner didn't pick it up. Carrying out a full system scan did
>>pick it up.
>>
>>
>
>Not terribly surprising.
>
>First of all, Nachi (and a great many others of its ilk) is a worm,
>acting
>specifically by making an attack on a vulnerability in an application or
>an operating system. In this case, it is, as you note, making RPC
>calls.
>(Turning off DCOM with something like dcomcnfg will prevent the attack
>from succeeding, and shouldn't create any problems unless you are using
>an
>MS Exchange mail server.)
>
>Nachi creates the files you note, but it does not necessarily read them.
>
>Generally on-access scanners shortcut scanning (in order to improve
>performance) and therefore the scanner will probably never scan the
>files.
> The full scan, as you noted, does. (In addition, on-access or other
>"automatic" scanners are always much less effective and accurate at
>detection in comparision to the base manual versions.)
>
>
>
>>Anyway... I'm trying to figure out why McAfee on access scanner isn't
>>picking these files up but the full system scan is. There is no
>>difference in the setup we have between on access or full scan.
>>
>>
>
>Hope this explains matters.
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Edward Monteiro: "Re: Samba"
• In reply to: Pour, Matthew: "RE: McAfee Anti Virus V4.5.1 SP1"
• Next in thread: Lou: "Re: McAfee Anti Virus V4.5.1 SP1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]