Security Basics mailing list archives
RE: McAfee Anti Virus V4.5.1 SP1
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 3 Dec 2003 10:25:04 -0800
I'm not certain about Nachi, but in the case of Slammer this was entirely normal. An "on access" virus scan is going to (try to ...) detect viral code in disk files as they are being loaded into memory to begin execution. To justify the name "on access", it *should* also detect viral code being written to a file, but I can't swear that every vendor actually does that. Slammer never wrote its code to any file on disk. It infected the copy of SQL Server (or a derivative product) already running in memory. There was never any point where an on access scanner would see it. (This also meant that powering the machine off and then back would get rid of an infection, although, unless other measures were also taken, it would get re-infected pretty quickly.) Nachi clearly writes its viral code to disk. But since it too spreads as a worm, I'm not certain that it needs to read the code back from disk before beginning to try to infect other machines. David Gillett
-----Original Message----- From: Lou [mailto:LouC () tmlp com] Sent: November 28, 2003 10:37 To: security-basics () securityfocus com Subject: Re: McAfee Anti Virus V4.5.1 SP1 not to sound full of myself, but i think everyone replying to this is wrong. i dont know the EXACT reason as to why this is happening. however, i encountered the same problem back when the slammer worm was going around. i had norton on my machine actually and black ice at the same time. my machine would appear to be toally clean except my black ice .log files which would say they were infected with the SQL slammer virus. seeing that this is impossible unless the code was injected into the log, i quickly convinced myself that it was an uncooparable pair of programs working together, and later removed black ice, and got a REAL firewal (hardware). anyway i hope that answers your question, or atleast relieves you. _LC- ----- Original Message ----- From: "Mike" <mjcarter () ihug co nz> To: <security-basics () securityfocus com> Sent: Friday, November 28, 2003 1:02 AM Subject: McAfee Anti Virus V4.5.1 SP1Hi All, I have a question and I can't get an answer from the vendor, theirsupportis not free for this question. We have had 3 or 4 machines come up infected with Nachitoday but the onaccess scanner didn't pick it up. Carrying out a fullsystem scan did pickit up. I found the infected machines by going through Black Icelogs on my localmachine that showed RPC scans and then connecting to theremote machine'sC:\winnt\system32\wins directory and scanning the dllhost.exe and svchost.exe files. I don't have access to any kind of network scanner, oursecurity policydoesn't allow me to use them (I'm just a field ops support person). Anyway... I'm trying to figure out why McAfee on accessscanner isn'tpicking these files up but the full system scan is. Thereis no differencein the setup we have between on access or full scan. Everything is up to date, including the MS patch levels, but that'sanotherstory. Is there another variant that might be stopping the onaccess scanner ???Any ideas? Thanks Mike-------------------------------------------------------------- ------------ --------------------------------------------------------------- ------------ ---------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: McAfee Anti Virus V4.5.1 SP1 LordInfidel (Dec 01)
- <Possible follow-ups>
- RE: McAfee Anti Virus V4.5.1 SP1 David Gillett (Dec 03)