Security Basics mailing list archives
Re: virus got past mcafee viruscan 8.7
From: Anand Narine <anand.narine () gmail com>
Date: Thu, 7 May 2009 06:13:30 -0400
Can anyone please recommend a good Host intrustion protection program (HIPS) besides Mcafee's ? That may be the way to go. On Wed, May 6, 2009 at 9:06 PM, Jeffrey Walton <noloader () gmail com> wrote:
Hi Michael,Edit a common virus payload into an executable a little ways past the 100th byte and upload it to http://www.virustotal.com/ See for yourself how many of the AV engines detect it.[Un]fortunately, I don't have any live payloads. However, running the EICAR test vector [1] did produce somewhat disappointing results. When the test string was placed at byte 64, only 5 scanners fired [2]. This dropped to 4 scanners when moved to offset 1024. I don't believe that extrapolating the results (to the 100th, 256th, 1024th byte...) is valid since EICAR specifies the first 68 bytes must be payload. But I would also expect that a scanner catch it where ever it is in an attempt to showcase their technology. In the end, the OP should get the malware submitted for analysis. Jeff [1] http://www.eicar.org/anti_virus_test_file.htm [2] http://www.virustotal.com/analisis/a5f9b85462298c92acf63db55cb29737 On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:I'm sorry, but I don't think a three year old (or more) book written by an employee of an anti-virus vendor and published by said anti-virus vendor is a reasonable third party reference as to whether or not anti-virus is effective. There's no need to debate the matter as a theoretical. Edit a common virus payload into an executable a little ways past the 100th byte and upload it to http://www.virustotal.com/ See for yourself how many of the AV engines detect it. Then do it before the 100th. The difference in the two should settle the matter for you far better than whatever I write could. Anti-virus just isn't particularly effective anymore except against very common or poorly written malware. It's great for that, but if you have any concern whatsoever about targeted malware, 0-days, or have a real need to "catch everything" then you should be looking to HIPS not AV. Signatures and byte-by-byte checking can't keep up; watching and protecting the stack sometimes can. As to the original question (which I probably should have answered while ranting about how untrustworthy AV is): The AV software is most likely being denied the ability or the opportunity to prevent the malware from sending the spam. That doesn't mean that the AV software cannot still stop you from telneting outbound to 25. So that verification is probably invalid. On Wed, May 6, 2009 at 2:54 PM, Jeffrey Walton <noloader () gmail com> wrote:Could you qualify this statement? I don't believe it accurately reflects the current state of the art in detection. For a survey, read Szor's 'The Art of Virus Research and Defense'. I'd suspect the malware is relatively new or otherwise has not been analysed. Perhaps the OP should submit the malware for analysis. Jeff On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:Unfortunately, anti-virus isn't capable of stopping the most common or basic of malware. Simply moving the hostile payload beyond the first hundred bytes or so of an executable is enough to prevent most AV software from detecting/alerting. Beyond that, the number of third-party applications with serious vulnerabilities (Acrobat seems to be this year's problem) means that relying on anti-virus to prevent malware infection is likely to result in an unpleasant surprise. On Tue, May 5, 2009 at 7:49 PM, Anand Narine <anand.narine () gmail com> wrote:Hi all Our client workstations all have Mcafee antivirus installed, but a virus infected on particular pc and has been sending out spam by making outbound connections on port 25. Mcafee viruscan 8.7 blocks programs from making outbound connections on port 25 by default so how did the virus get past ? I verified that the mcafee was working since I could not telnet to any mail server on the internet via port 25. [SNIP]
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- virus got past mcafee viruscan 8.7 Anand Narine (May 06)
- Re: virus got past mcafee viruscan 8.7 Phil Bieber (May 06)
- Re: virus got past mcafee viruscan 8.7 Michael Graham (May 06)
- Re: virus got past mcafee viruscan 8.7 Michael Graham (May 06)
- Re: virus got past mcafee viruscan 8.7 Phil Bieber (May 06)
- Message not available
- Re: virus got past mcafee viruscan 8.7 Phil Bieber (May 07)
- Re: virus got past mcafee viruscan 8.7 Michael Graham (May 06)
- Re: virus got past mcafee viruscan 8.7 Jeffrey Walton (May 06)
- Re: virus got past mcafee viruscan 8.7 Michael Graham (May 07)
- Re: virus got past mcafee viruscan 8.7 Jeffrey Walton (May 07)
- Re: virus got past mcafee viruscan 8.7 Anand Narine (May 07)
- RE: virus got past mcafee viruscan 8.7 Lape, Steve (May 07)
- Re: virus got past mcafee viruscan 8.7 Mike Acker (May 08)
- RE: virus got past mcafee viruscan 8.7 Oliver Friedrichs (May 08)
- <Possible follow-ups>
- Fwd: virus got past mcafee viruscan 8.7 Alan Strader` (May 08)