Re: Dr Solomon's Virus Alert v. 4.5.0.451!

<smoughan@hotmail.com> wrote:

> I was sesting my company's virus scanners today and I found that Dr

Huh?

That doesn't parse very well, but if you're asking what I think you are... Products running the Dr Solly/NAI engine have not detected "NetBus Pro", in a default install, for quite some time.

Before you decide that is an utter tragedy, some scanners do not detect it at all, but at least a few (including NAI's) will detect it under some "special" conditions. What these are specifically depends on the scanner (or engine) but may include factors such as whether the NetBus EXEs are "as shipped" (i.e. not renamed, not packed with a runtime decompressor, not "bound" with other EXEs, etc, etc) and/or on some special commandline or configuration options in the scanner.

The guts of the issue here is that the developer(s) of this ultra high-quality "system administration" product (for which stealth installation and programmatic open and close of the remote machine's CD drive are just two of the relatively unique features) threatened legal action against the major AV companies once their product "went commercial". These AV developers' legal departments either thought the NetBus developers had a good case or were too spineless to engage in lengthy and potentially expensive rounds of "nuisance" lawsuits, so took the easy way out and dropped detection, or at least dropped detection of the default installation.

Just adds more grist to my mill arguing that white-listing by conscientious sysadmins is increasingly the best approach to system code intergity management. Of course, you won't find a major AV developer shipping a product that will usefully allow you to implement such a scheme, as they are accustomed to their users suckling at the nipple of their addictive update model which in turn feeds their voracious appetitie for ongoing income...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854