I logged a ticket with Symantec today as I needed to download Maintenance Release 7 for their corporate edition 10.1 yet their fileconnect website only gave me version 11 (which is so unstable we refuse to install it). 2 hours later I got an email from their support site that started “We have been trying to reach you in the last few days to assist you with the issue regarding Symantec Antivirus but unfortunately we have not been able to do so.”
I guess they’ve invented a time machine in order to try and beat their really long wait times on hold for support…..either that or I forgot that I logged a ticket several days ago and they’ve finally got round to dealing with it!
Anyway, they’ve given me a new serial number to log into the website with so I can download the older version. I’m not sure if it’s an inplace upgrade (I hope so) rather than a removal and reinstall again – if its the removal and reinstall that means *another* 3 or 4 hours to remove, reboot, install and then fix the issues of the client software breaking other software again.
I guess I *really* need to get some time to investigate nod32 network deployments – anyone had any experience with this?
I sent this around to a couple of my user sites today. I was glad to see that some of the users did actually read the notice as I got several replies back saying it made them laugh.
Please note that there are several hoax valentine day cards going around the internet that links to malicious software. If you received a valentines day ecard please do not open it and tell your loved one not to be a cheapskate and buy a real card.
It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.
I installed Adobe’s flash player 6 on my pc tonight and was surprised to see Comodo Antivirus kick in with a “Not-a-virus:RiskTool.Win32.PsKill.q” for the nsprocess.dll file included as part of the install – presumably to kill any previous installs currently running. I’ve seen things like this with Symantec Antivirus and pskill from sysinternals before but not with Flash Player!
I submitted the file to virustotal.com and got the following results.
| Antivirus | Version | Update | Result |
| AhnLab-V3 | 2007.5.10.0 | 05.09.2007 | Win-Trojan/ProcKill.4096.B |
| AntiVir | 7.4.0.15 | 05.09.2007 | no virus found |
| Authentium | 4.93.8 | 05.08.2007 | no virus found |
| Avast | 4.7.997.0 | 05.09.2007 | no virus found |
| AVG | 7.5.0.467 | 05.09.2007 | no virus found |
| BitDefender | 7.2 | 05.10.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 05.09.2007 | no virus found |
| ClamAV | devel-20070416 | 05.09.2007 | no virus found |
| DrWeb | 4.33 | 05.09.2007 | no virus found |
| eSafe | 7.0.15.0 | 05.08.2007 | no virus found |
| eTrust-Vet | 30.7.3622 | 05.09.2007 | no virus found |
| Ewido | 4.0 | 05.09.2007 | no virus found |
| FileAdvisor | 1 | 05.10.2007 | No threat detected |
| Fortinet | 2.85.0.0 | 05.09.2007 | no virus found |
| F-Prot | 4.3.2.48 | 05.09.2007 | W32/Trojan.RZG |
| F-Secure | 6.70.13030.0 | 05.10.2007 | no virus found |
| Ikarus | T3.1.1.7 | 05.09.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 05.10.2007 | no virus found |
| McAfee | 5027 | 05.09.2007 | potentially unwanted program Generic PUP |
| Microsoft | 1.2503 | 05.09.2007 | no virus found |
| NOD32v2 | 2255 | 05.09.2007 | no virus found |
| Norman | 5.80.02 | 05.09.2007 | no virus found |
| Panda | 9.0.0.4 | 05.09.2007 | no virus found |
| Prevx1 | V2 | 05.10.2007 | no virus found |
| Sophos | 4.17.0 | 05.08.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 05.05.2007 | no virus found |
| Symantec | 10 | 05.10.2007 | no virus found |
| TheHacker | 6.1.6.112 | 05.10.2007 | Trojan/KillProc.p |
| VBA32 | 3.12.0 | 05.09.2007 | no virus found |
| VirusBuster | 4.3.7:9 | 05.09.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 05.09.2007 | no virus found |
That is 5 antivirus products that presumably block or intefere with Flash from being installed.
There has been a worm infecting Windows servers running the popular plesk package (that provides shared windows hosting) due to a vulnerability in mailenable. My host has provided details on available fix, but first they disabled pop3 access to prevent the worm spreading. An interesting method of propagation and a pretty drastic measure to stop it – hopefully everyone signs up for the forum notifications or their helpdesk is going to be very busy.
There is now an unofficial patch out for the wmf flaw but it is currently unavailable. More details at F-Secure’s blog. SANS has a mirrored link of the patch as the original authors website is unavailable, probably because everyone is hitting his site. However, google’s cache of the page that talks about the flaw is available and worth looking at. I’m posting the details into my extended entry in case the google page gets wiped.
Although I am not aware of any customers running snort, this may be of use to other people reading this, but snort 2.4, with the Back Orifice processor enabled is vulnerable to attack as per the details at Sans
I’ve just had a scam email pretending to be from Bank Of The West (who I’ve never even heard of) saying that there has been fraudulent activity on my bank account. A DNS lookup on the domain that they’ve registered (on Tuesday) has an address in New Orleans – probably as they know that it is going to be impossible to trace that for the forseeable future.
As usual the website is actually hosted in the far east – Vietnam in this case.
8 days after Vista was released to beta, the first virus appears. So an obviously secure platform then 🙂 At least this virus is not likely to spread very far as there are unlikely to be many vista machines in deployment
Interesting to see that it looks like the police are getting involved with contacting isps to ask them to do something about pc’s that are infected with viruses and acting as zombies according to net4nowt.
Wish they would do something about the french isp hosting phishing accounts. I received an email on Friday asking me to verify my ebay information and checking the website it is hosted on Amen’s servers. There was no email contact information on the website, their “online chat guide” is permanently engaged and the only way to contact the support department is to register with them or be an existing customer (I wonder if an EX customer like me is included in that latter category). An email to [email protected] has so far only come back with a (autoreply) statement saying they will take immediate action to stop spammers and to forward them the headers – which I did on the initial posting.