Home page logo

bugtraq logo Bugtraq mailing list archives

Re: NAI/McAfee Viruscan Engine does not scan .VBS files by defau
From: nick () VIRUS-L DEMON CO UK (Nick FitzGerald)
Date: Thu, 9 Mar 2000 00:30:49 +1200

The default NAI/McAfee Viruscan Engine configuration does not
include .VBS in the list of program file extensions, thereby
skipping .VBS files when scanning. The VBS/Freelink virus and
possible other viruses could go undetected.
Recently, an employee at our company got infected with the
VBS\Freelink virus. Since we have Total Virus Defense, and have
viruscan engines on our mail servers, file servers and client
machines, we were quite surprised to have trouble with a virus that
has been in the NAI DAT files since 07/07/1999 (DAT version 4035).

A quick check told us that the default settings scan "only program
files", and that the .VBS extension was not included in the default
list of program extensions. Therefore, VBS files are skipped during
scans. The only way to update this is by adding the VBS extension
manually to the list of extensions in the client.

We have contacted Network Associates Support about this Februari 12,
and have been in touch with them multiple times. There seems to be
some confusion about the problem at the support desk.

Posting this to a "bug" list seems a tad OTT.

This is a long-standing issue/problem with antivirus software.  A new
infection mechanism is found that renders previously non-target file
types potential targets.  Sometimes these are incredibly arcane and
the scope of the possible infection scenario extremely limited with
perhaps the feeble proof-of-concept virus encompassing the extent of
the likely threat (an example from recent years is the Windows
INF-scripting virus -- hardly grounds for the addition of INF files
to the default "files to scan" extension/type list).

The biggest "issue" here is that AV software is inherently
data-driven.  It is no news to the readers of this list that if you
don't keep your scanner's DAT/DEF/whatever files up-to-date your
scanner rapidly becomes obsolete.  Oddly, in such a data-driven
field, issues such as keeping virus scanner configurations up-to-date
because "wise" default configuration options change due to the
appearance of new virus types have not been dealt with in the same
way.  The "data" that you should add new file types to your config is
dispersed poorly and incompletely, depending on the user stumbling
across it rather having it arrive and be acted upon automatically at
the place where it is most needed.

I've written about this issue several times and have explicitly
suggested to several developers that an "intelligent updater" option
for program settings is as necessary as the technology they have
developed to get millions upon millions of desktop scanners virus
detection databases updated evry few days/weeks.  That the AV
developers have faced a rapidly increasing list of default file types
to be concerned with over the last three years and seem to have
mostly ignored this issue makes us cynics wonder whose interests they
really hold uppermost...

Two possible solutions:
- - Add the .VBS extension to the list of program file extensions in
the on-access monitor, and the viruscan program... Keep in mind that
different viruscan programs have their own lists! - - Select "Scan
All Files"

In modest-sized networks, the use of the management tools should make
automating this very easy...

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]