RE: Dr Solomon's Virus Alert v. 4.5.0.451!

moderator: please let this through. i've got an interesting and somewhat related story.

our company developed a chat/personals component for a client for his singles-meeting-place website. the component was an activex download designed to be installed from a webpage. shortly after release, i came into work one day to find a bunch of alert emails letting me know each of our servers and most of the development workstations had been infected by a nasty virus overnight. turns out symantec has identified this activex control as a virus, despite the fact that users have to click OK to install it on their machines (opt-in, no drive-by here).

anyways, i'm faced with two options: make sure we never develop this product further since there is no way for me to exclude detection of this particular "virus" from the system (thankfully our client is on to other things), or exclude the dll, exe and other files from scanning and open myself up to possible malicious code in a separate file with the same name. anyone have an alternative?

been meaning to talk to symantec about this, more about adding the feature to turn off detection of particular viruses or possibly exclusions based on md5 hashes.

-d

-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] Sent: February 11, 2003 1:50 PM
To: focus-virus@securityfocus.com
Subject: Re: Dr Solomon's Virus Alert v. 4.5.0.451!

<smoughan@hotmail.com> wrote:

> I was sesting my company's virus scanners today and I found that Dr
> Solomon's Virus Alert v. 4.5.0.451 with the newest virus ID's doesnt
> detect NetBus Pro's server and would, even with the context menu's scan
> file option.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Huh?

That doesn't parse very well, but if you're asking what I think you are... Products running the Dr Solly/NAI engine have not detected "NetBus Pro", in a default install, for quite some time.

Before you decide that is an utter tragedy, some scanners do not detect it at all, but at least a few (including NAI's) will detect it under some "special" conditions. What these are specifically depends on the scanner (or engine) but may include factors such as whether the NetBus EXEs are "as shipped" (i.e. not renamed, not packed with a runtime decompressor, not "bound" with other EXEs, etc, etc) and/or on some special commandline or configuration options in the scanner.

The guts of the issue here is that the developer(s) of this ultra high-quality "system administration" product (for which stealth installation and programmatic open and close of the remote machine's CD drive are just two of the relatively unique features) threatened legal action against the major AV companies once their product "went commercial". These AV developers' legal departments either thought the NetBus developers had a good case or were too spineless to engage in lengthy and potentially expensive rounds of "nuisance" lawsuits, so took the easy way out and dropped detection, or at least dropped detection of the default installation.

Just adds more grist to my mill arguing that white-listing by conscientious sysadmins is increasingly the best approach to system code intergity management. Of course, you won't find a major AV developer shipping a product that will usefully allow you to implement such a scheme, as they are accustomed to their users suckling at the nipple of their addictive update model which in turn feeds their voracious appetitie for ongoing income...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854