RE: McAfee Anti Virus V4.5.1 SP1

["David Gillett" <gillettdavid () fhda edu>]

  I'm not certain about Nachi, but in the case of Slammer this was
entirely normal.
  An "on access" virus scan is going to (try to ...) detect viral
code in disk files as they are being loaded into memory to begin
execution.  To justify the name "on access", it *should* also detect
viral code being written to a file, but I can't swear that every
vendor actually does that.

  Slammer never wrote its code to any file on disk.  It infected the
copy of SQL Server (or a derivative product) already running in
memory.  There was never any point where an on access scanner would 
see it.  (This also meant that powering the machine off and then back
would get rid of an infection, although, unless other measures were
also taken, it would get re-infected pretty quickly.)

  Nachi clearly writes its viral code to disk.  But since it too 
spreads as a worm, I'm not certain that it needs to read the code 
back from disk before beginning to try to infect other machines.

David Gillett


> -----Original Message-----
> From: Lou [mailto:LouC () tmlp com]
> Sent: November 28, 2003 10:37
> To: security-basics () securityfocus com
> Subject: Re: McAfee Anti Virus V4.5.1 SP1
>
>
> not to sound full of myself, but i think everyone replying to 
> this is wrong.
> i dont know the EXACT reason as to why this is happening.  however, i
> encountered the same problem back when the slammer worm was 
> going around.  i
> had norton on my machine actually and black ice at the same time.  my
> machine would appear to be toally clean except my black ice 
> .log files which
> would say they were infected with the SQL slammer virus.  
> seeing that this
> is impossible unless the code was injected into the log, i 
> quickly convinced
> myself that it was an uncooparable pair of programs working 
> together, and
> later removed black ice, and got a REAL firewal (hardware).  
> anyway i hope
> that answers your question, or atleast relieves you.
> _LC-
> ----- Original Message ----- 
> From: "Mike" <mjcarter () ihug co nz>
> To: <security-basics () securityfocus com>
> Sent: Friday, November 28, 2003 1:02 AM
> Subject: McAfee Anti Virus V4.5.1 SP1
>
>
> > Hi All,
> > I have a question and  I can't get an answer from the vendor, their
> support
> > is not free for this question.
> > We have had 3 or 4 machines come up infected with Nachi 
> today but the on
> > access scanner didn't pick it up. Carrying out a full 
> system scan did pick
> > it up.
> >
> > I found the infected machines by going through Black Ice 
> logs on my local
> > machine that showed RPC scans and then connecting to the 
> remote machine's
> > C:\winnt\system32\wins directory and scanning the dllhost.exe and
> > svchost.exe files.
> >
> > I don't have access to any kind of network scanner, our 
> security policy
> > doesn't allow me to use them (I'm just a field ops support person).
> >
> > Anyway... I'm trying to figure out why McAfee on access 
> scanner isn't
> > picking these files up but the full system scan is. There 
> is no difference
> > in the setup we have between on access or full scan.
> >
> > Everything is up to date, including the MS patch levels, but that's
> another
> > story.
> >
> > Is there another variant that might be stopping the on 
> access scanner ???
> > Any ideas?
> >
> > Thanks
> >
> > Mike
> --------------------------------------------------------------
> ------------
> -
> >
> --------------------------------------------------------------
> ------------
> --
> >
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------