AntiVirus

Microsoft Antigen for exchange

I downloaded Microsoft’s Antigen for Exchange last night and installed it on a server to remove some old virus’s that were stuck in the mail store (there is no scheduled scan of the mailstore as realtime desktop and smtp scanning is now used for virus protection). Although the product did the job of deleting the mail, the whole admin interface is awful to use and the support on the Microsoft website is non existant – there are NO documents in the technet database on Antigen version 9. With the various quirks in the admin interface and no support, this software really should be released as a beta. I’d only say beta due to the fact that it did remove the virus’s otherwise I’d recommend alpha status.
The extended entry contains my 22 points that I would provide as bug reports if it was in beta status.

Nav2006 first impressions

I’m not impressed. The product ships with virus definitions dated the 12th July and running Liveupdate says there are no new defs to install (but did install product updates the first time I ran it). However the pc upstairs running Nav2005 has definitions dated the 20th July. This might not be too bad on its own if it wasn’t for the fact that NAV constantly complains that the defs are out of date and to run live update. This complaining takes the form of popup messages in the corner of the screen and a yellow coloured caution bar containing a triangle and Norton in the bottom right of the screen next to the system tray. Why they couldn’t have just put the application in the system tray like everyone else I don’t know. Right click on Norton status and select Move to System Tray.
The one plus point to having the bar is that when the application silently crashes you can tell because the bar disappears which is more noticable than having an icon in the systray disappear (which can happen with xp hiding icons when it feels like it). Yes, Nav has already crashed on me once and the only reason I noticed was because my email server refused to connect to any of my pop3 accounts yet I could ping them ok. Nav crashing had taken out the forwarding part of the proxy service but was still capturing the outgoing traffic – just not forwarding it onto the mail server. As the bar had vanished I realised what the problem was and restarted the application (and said YES I KNOW THE DEFS ARE OUT OF DATE)
Another plus point is that I can now use Google Desktop search again as it is compatible with Nav – it wasn’t with Nod32 although this isn’t really a plus point to be honest.
The beta only lasts another 14 days (although their website says 30) and I’m glad as so far the product is really awful. The initial scan of my hard disk took 6 hours for the 100gb of data (how did i get that much so quickly?) and the machine was pretty much unusable at this time as the response time was awful. It wasn’t too bad if only one application was used but switching applications would take at least 60 seconds before the new one was available.
I have posted these points to Symantec with at their feedback page and had no response back from them whatsoever. I think a beta program really should have a feedback forum so that it is possible to tell if anyone else is having the same problem and provide an ongoing support conversation with Symantec.

Nod detects a new virus….or does it?

I’ve been using nod32 on the home pc for the past week as I was having issues with my previous av software and gsak. Both avg and ca’s free av software do not give you the ability to exclude a directory from realtime scanning (or a lot of other so-called advanced features). This means gsak runs really slow.
I wasn’t about to install Nortons or Mcaffee on the pc (despite the pc coming with a free version of Norton (but that is another rant – wants the point of a “free” 90 day version of software? It’s not really free as it just encourages the poor sucker to go and buy the full version and think they are covered ok) ) so I downloaded the trial version of nod32. Yes ok this is similar to the free idea I just ranted about, but at least they are upfront in that it really is a trial version.
However, when I tried to download SIW, a system information gathering tool, nod decided it might be a virus as it has been packed with an executable packer. The file has now been submitted for analysis so it will be interesting to see a) how long it takes to come back with an answer and b) what their conclusion is. My gut feeling is that its been flagged due to the exe packing as a lot of virus use this method to try and escape detection.
Incidentally I got the tip off about this software from PC Doctor who really should allow commenting instead of trackbacks!
Update I guess they fixed it as I can download it ok today. Didn’t get an email from nod though.

11 reasons to run antivirus and a firewall…..

TR/dldr.delf.CB.1*2
BDS/Haxdoor.BH*3
TR/dldr.small.ait
TR/Drop.Funweb.A
Drop.Small.NK
BDS/Haxdoor.BH.1*2
PMS.WildTangent.B.1

Interestingly Norton had already detected and deleted a couple of these files but didn’t detect any of the others. I had to boot from a Windows UltimateBootCD, download new dats for avpersonal and then run a scan. The Avpersonal only took 30 minutes to run, the Trendmicro one has been going for about an hour and is still going. Its a good job I don’t charge by the hour.

symantec updates

2 of our clients have managed to get corrupt symantec antivirus definitions which means the services stop. As the services are stopped I am unable to update them with the console and I’ve disabled liveupdate. Unfortunately the symantec.com websites are unavailable (and so was msn search) (even though they are using the akamai network to protect against ddos). In the end I used the ftp service at ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/ to download the definitions onto the local pc.
Having said all that I spent about an hour trying various things to fix the client but in the end gave up. I’ve now uninstalled the software and moved across to our new corporate mcafee software instead. I’m not saying this is any better (I doubt it) but we’ll see….
As I write this msn search and symantec are now available again.

Catch-Up

Not having that much internet access and the time to blog, I’ve quickly gone through my feeds and pulled a couple of things out of them

  • A WUS Wiki which sounds like a bad day for Jonathan Ross, but is actually a wiki for the new Windows Update Services.
  • Links to video’s of the Tsunami. This hit whilst we were on holiday and I never got to see any moving pictures of the wave itself – saw plenty of horrific news photos of the devastation afterwards though.
  • I removed Norton AntiVirus off the home computer as the subscription had run out and I’m not impressed with the number of infections that have gotten past it this year. Instead I’ve tried the free home edition of Avast’s Antivir software which looks ok. It certainly picked up on eicar when I downloaded it – will be interesting to see how it copes with email borne virus’s

Norton Antivirus 2005

My parents-in-law pc licence for Norton Antivirus ran out a couple of days ago so they purchased the upgrade to 2005 which they downloaded but then couldn’t work out how to install as it needed the old version (2002) uninstalling, and then setup running on the new version. I used ultravnc to do all the work on their machine until I had gone through all the setup and then clicked on the reboot option (for about the third time) and now I can’t get back into the machine as the antivirus software comes with “worm protection” – a basic firewall that is now blocking access to their machine. I now have to wait until they get home and can see the email that I’ve sent asking for them to ring me so I can talk them through allowing me remote access to their machine.

NAV updates solution?

Seeing as though we were caught out with old definitions from Nav, despite running Liveupdate at 4am in the morning each day (which doesn’t detect if there are new NON-Liveupdate downloads) I wrote the following script to get the latest updates from Symantec at 6am, 12:30pm, 4.30pm and 9.30pm. Using wget it downloads the navup8.exe file (if its newer), runs it and then copies the .xdb files to the NAV directory. Hopefully by running it several times a day the traffic is light (as it only downloads if newer) and we shouldn’t be more then a few hours out of date and ahead of any virus infection is the idea. The only thing I can’t work out is how not to run the .exe file if the download didn’t actually happen. I guess I could log the download and search for a “file is same date” string and run the .exe on this condition…..thats next weeks project for when I’m in the office.

Ca Antivirus/Firewall

I installed the CA Antivirus firewall on the parents-in-law computer. The firewall is almost identical to zonealarm. I’ve not used zonealarm for several months/years now so I can’t tell if it is the same as the newer versions, but all the popup dialog boxes and the traffic meters in the taskbar are practically identical. The Antivirus is different and also includes spyware and popup blockers so it will be interesting to see how good they are – i’m sure I’ll have plenty of practise as I’ve already removed lop from the computer twice, amongst many other spyware infections on it. I’ve also installed SpywareGuard which aims to stop the driveby installations (and i’ve also installed firebird for my own surfing)