Home page logo

basics logo Security Basics mailing list archives

RE: McAfee Anti Virus V4.5.1 SP1
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 3 Dec 2003 10:25:04 -0800

  I'm not certain about Nachi, but in the case of Slammer this was
entirely normal.
  An "on access" virus scan is going to (try to ...) detect viral
code in disk files as they are being loaded into memory to begin
execution.  To justify the name "on access", it *should* also detect
viral code being written to a file, but I can't swear that every
vendor actually does that.

  Slammer never wrote its code to any file on disk.  It infected the
copy of SQL Server (or a derivative product) already running in
memory.  There was never any point where an on access scanner would 
see it.  (This also meant that powering the machine off and then back
would get rid of an infection, although, unless other measures were
also taken, it would get re-infected pretty quickly.)

  Nachi clearly writes its viral code to disk.  But since it too 
spreads as a worm, I'm not certain that it needs to read the code 
back from disk before beginning to try to infect other machines.

David Gillett

-----Original Message-----
From: Lou [mailto:LouC () tmlp com]
Sent: November 28, 2003 10:37
To: security-basics () securityfocus com
Subject: Re: McAfee Anti Virus V4.5.1 SP1

not to sound full of myself, but i think everyone replying to 
this is wrong.
i dont know the EXACT reason as to why this is happening.  however, i
encountered the same problem back when the slammer worm was 
going around.  i
had norton on my machine actually and black ice at the same time.  my
machine would appear to be toally clean except my black ice 
.log files which
would say they were infected with the SQL slammer virus.  
seeing that this
is impossible unless the code was injected into the log, i 
quickly convinced
myself that it was an uncooparable pair of programs working 
together, and
later removed black ice, and got a REAL firewal (hardware).  
anyway i hope
that answers your question, or atleast relieves you.
----- Original Message ----- 
From: "Mike" <mjcarter () ihug co nz>
To: <security-basics () securityfocus com>
Sent: Friday, November 28, 2003 1:02 AM
Subject: McAfee Anti Virus V4.5.1 SP1

Hi All,
I have a question and  I can't get an answer from the vendor, their
is not free for this question.
We have had 3 or 4 machines come up infected with Nachi 
today but the on
access scanner didn't pick it up. Carrying out a full 
system scan did pick
it up.

I found the infected machines by going through Black Ice 
logs on my local
machine that showed RPC scans and then connecting to the 
remote machine's
C:\winnt\system32\wins directory and scanning the dllhost.exe and
svchost.exe files.

I don't have access to any kind of network scanner, our 
security policy
doesn't allow me to use them (I'm just a field ops support person).

Anyway... I'm trying to figure out why McAfee on access 
scanner isn't
picking these files up but the full system scan is. There 
is no difference
in the setup we have between on access or full scan.

Everything is up to date, including the MS patch levels, but that's

Is there another variant that might be stopping the on 
access scanner ???

Any ideas?







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]