Symantec have a time machine!

I logged a ticket with Symantec today as I needed to download Maintenance Release 7 for their corporate edition 10.1 yet their fileconnect website only gave me version 11 (which is so unstable we refuse to install it). 2 hours later I got an email from their support site that started “We have been trying to reach you in the last few days to assist you with the issue regarding Symantec Antivirus but unfortunately we have not been able to do so.”
I guess they’ve invented a time machine in order to try and beat their really long wait times on hold for support…..either that or I forgot that I logged a ticket several days ago and they’ve finally got round to dealing with it!
Anyway, they’ve given me a new serial number to log into the website with so I can download the older version. I’m not sure if it’s an inplace upgrade (I hope so) rather than a removal and reinstall again – if its the removal and reinstall that means *another* 3 or 4 hours to remove, reboot, install and then fix the issues of the client software breaking other software again.
I guess I *really* need to get some time to investigate nod32 network deployments – anyone had any experience with this?

Valentines day warning.

I sent this around to a couple of my user sites today. I was glad to see that some of the users did actually read the notice as I got several replies back saying it made them laugh.

Please note that there are several hoax valentine day cards going around the internet that links to malicious software. If you received a valentines day ecard please do not open it and tell your loved one not to be a cheapskate and buy a real card.

STUPID Symantec antivirus – Autoit is not a virus.

It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.

Adobe Flash player install triggers virus alerts

I installed Adobe’s flash player 6 on my pc tonight and was surprised to see Comodo Antivirus kick in with a “Not-a-virus:RiskTool.Win32.PsKill.q” for the nsprocess.dll file included as part of the install – presumably to kill any previous installs currently running. I’ve seen things like this with Symantec Antivirus and pskill from sysinternals before but not with Flash Player!
I submitted the file to virustotal.com and got the following results.

Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.09.2007 Win-Trojan/ProcKill.4096.B
AntiVir 7.4.0.15 05.09.2007 no virus found
Authentium 4.93.8 05.08.2007 no virus found
Avast 4.7.997.0 05.09.2007 no virus found
AVG 7.5.0.467 05.09.2007 no virus found
BitDefender 7.2 05.10.2007 no virus found
CAT-QuickHeal 9.00 05.09.2007 no virus found
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 05.09.2007 no virus found
eSafe 7.0.15.0 05.08.2007 no virus found
eTrust-Vet 30.7.3622 05.09.2007 no virus found
Ewido 4.0 05.09.2007 no virus found
FileAdvisor 1 05.10.2007 No threat detected
Fortinet 2.85.0.0 05.09.2007 no virus found
F-Prot 4.3.2.48 05.09.2007 W32/Trojan.RZG
F-Secure 6.70.13030.0 05.10.2007 no virus found
Ikarus T3.1.1.7 05.09.2007 no virus found
Kaspersky 4.0.2.24 05.10.2007 no virus found
McAfee 5027 05.09.2007 potentially unwanted program Generic PUP
Microsoft 1.2503 05.09.2007 no virus found
NOD32v2 2255 05.09.2007 no virus found
Norman 5.80.02 05.09.2007 no virus found
Panda 9.0.0.4 05.09.2007 no virus found
Prevx1 V2 05.10.2007 no virus found
Sophos 4.17.0 05.08.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.10.2007 no virus found
TheHacker 6.1.6.112 05.10.2007 Trojan/KillProc.p
VBA32 3.12.0 05.09.2007 no virus found
VirusBuster 4.3.7:9 05.09.2007 no virus found
Webwasher-Gateway 6.0.1 05.09.2007 no virus found

That is 5 antivirus products that presumably block or intefere with Flash from being installed.

Plesk worm on windows servers

There has been a worm infecting Windows servers running the popular plesk package (that provides shared windows hosting) due to a vulnerability in mailenable. My host has provided details on available fix, but first they disabled pop3 access to prevent the worm spreading. An interesting method of propagation and a pretty drastic measure to stop it – hopefully everyone signs up for the forum notifications or their helpdesk is going to be very busy.

More wmf stuff

There is now an unofficial patch out for the wmf flaw but it is currently unavailable. More details at F-Secure’s blog. SANS has a mirrored link of the patch as the original authors website is unavailable, probably because everyone is hitting his site. However, google’s cache of the page that talks about the flaw is available and worth looking at. I’m posting the details into my extended entry in case the google page gets wiped.

Continue reading “More wmf stuff”

Low scammers

I’ve just had a scam email pretending to be from Bank Of The West (who I’ve never even heard of) saying that there has been fraudulent activity on my bank account. A DNS lookup on the domain that they’ve registered (on Tuesday) has an address in New Orleans – probably as they know that it is going to be impossible to trace that for the forseeable future.
As usual the website is actually hosted in the far east – Vietnam in this case.

Stopping zombies?

Interesting to see that it looks like the police are getting involved with contacting isps to ask them to do something about pc’s that are infected with viruses and acting as zombies according to net4nowt.
Wish they would do something about the french isp hosting phishing accounts. I received an email on Friday asking me to verify my ebay information and checking the website it is hosted on Amen’s servers. There was no email contact information on the website, their “online chat guide” is permanently engaged and the only way to contact the support department is to register with them or be an existing customer (I wonder if an EX customer like me is included in that latter category). An email to [email protected] has so far only come back with a (autoreply) statement saying they will take immediate action to stop spammers and to forward them the headers – which I did on the initial posting.