Bugtraq mailing list archives
Re: NAI/McAfee Viruscan Engine does not scan .VBS files by defau
From: nick () VIRUS-L DEMON CO UK (Nick FitzGerald)
Date: Thu, 9 Mar 2000 00:30:49 +1200
SYNOPSIS The default NAI/McAfee Viruscan Engine configuration does not include .VBS in the list of program file extensions, thereby skipping .VBS files when scanning. The VBS/Freelink virus and possible other viruses could go undetected.
<<snip>>
SUMMARY Recently, an employee at our company got infected with the VBS\Freelink virus. Since we have Total Virus Defense, and have viruscan engines on our mail servers, file servers and client machines, we were quite surprised to have trouble with a virus that has been in the NAI DAT files since 07/07/1999 (DAT version 4035). A quick check told us that the default settings scan "only program files", and that the .VBS extension was not included in the default list of program extensions. Therefore, VBS files are skipped during scans. The only way to update this is by adding the VBS extension manually to the list of extensions in the client. We have contacted Network Associates Support about this Februari 12, and have been in touch with them multiple times. There seems to be some confusion about the problem at the support desk.
Posting this to a "bug" list seems a tad OTT. This is a long-standing issue/problem with antivirus software. A new infection mechanism is found that renders previously non-target file types potential targets. Sometimes these are incredibly arcane and the scope of the possible infection scenario extremely limited with perhaps the feeble proof-of-concept virus encompassing the extent of the likely threat (an example from recent years is the Windows INF-scripting virus -- hardly grounds for the addition of INF files to the default "files to scan" extension/type list). The biggest "issue" here is that AV software is inherently data-driven. It is no news to the readers of this list that if you don't keep your scanner's DAT/DEF/whatever files up-to-date your scanner rapidly becomes obsolete. Oddly, in such a data-driven field, issues such as keeping virus scanner configurations up-to-date because "wise" default configuration options change due to the appearance of new virus types have not been dealt with in the same way. The "data" that you should add new file types to your config is dispersed poorly and incompletely, depending on the user stumbling across it rather having it arrive and be acted upon automatically at the place where it is most needed. I've written about this issue several times and have explicitly suggested to several developers that an "intelligent updater" option for program settings is as necessary as the technology they have developed to get millions upon millions of desktop scanners virus detection databases updated evry few days/weeks. That the AV developers have faced a rapidly increasing list of default file types to be concerned with over the last three years and seem to have mostly ignored this issue makes us cynics wonder whose interests they really hold uppermost...
WORKAROUND Two possible solutions: - - Add the .VBS extension to the list of program file extensions in the on-access monitor, and the viruscan program... Keep in mind that different viruscan programs have their own lists! - - Select "Scan All Files"
In modest-sized networks, the use of the management tools should make automating this very easy... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- NAI/McAfee Viruscan Engine does not scan .VBS files by default Bram Kerkhof (Mar 07)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Eric Chien (Mar 08)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Paul Hoffman (Mar 09)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by defau Nick FitzGerald (Mar 08)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Roy Voortman (Mar 08)
- Realnetworks is trojaning people...again!!! pedward () WEBCOM COM (Mar 08)
- [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd) Katie Moussouris (Mar 08)
- [TL-Security-Announce] htdig-3.1.2-1 and earlier TLSA200005-1 (fwd) Katie Moussouris (Mar 08)
- <Possible follow-ups>
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Roy Voortman (Mar 10)
- Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default Eric Chien (Mar 08)