Home page logo

bugtraq logo Bugtraq mailing list archives

NAI/McAfee Viruscan Engine does not scan .VBS files by default
From: mcafee-bugs () BUGTRAQ E-WARENESS BE (Bram Kerkhof)
Date: Tue, 7 Mar 2000 18:08:42 +0100

Hash: SHA1

The default NAI/McAfee Viruscan Engine configuration does not include
.VBS in the list of program file extensions, thereby skipping .VBS
files when scanning. The VBS/Freelink virus and possible other viruses
could go undetected.

- - McAfee Viruscan NT Engine 4.0.3a
- - McAfee Viruscan 9x Engine 4.0.3
- - McAfee Netshield Engine 4.0.3
- - McAfee Groupshield for Notes Engine 4.50
remark: These are only the software versions we currently use in
production. Others may be affected too.

Recently, an employee at our company got infected with the
VBS\Freelink virus. Since we have Total Virus Defense, and have
viruscan engines on our mail servers, file servers and client
machines, we were quite surprised to have trouble with a virus that
has been in the NAI DAT files since 07/07/1999 (DAT version 4035).

A quick check told us that the default settings scan "only program
files", and that the .VBS extension was not included in the default
list of program extensions. Therefore, VBS files are skipped during
scans. The only way to update this is by adding the VBS extension
manually to the list of extensions in the client.

We have contacted Network Associates Support about this Februari 12,
and have been in touch with them multiple times. There seems to be
some confusion about the problem at the support desk.

Two possible solutions:
- - Add the .VBS extension to the list of program file extensions in the
on-access monitor, and the viruscan program... Keep in mind that
different viruscan programs have their own lists!
- - Select "Scan All Files"

On the NAI virus library page for VBS/Freelink, a short note is
included about the topic; but a lot of customers do not know about
this issue. See http://vil.nai.com/vil/vbs10225.asp for the full page.

Gregg De Winter
Bram Kerkhof

PGP Public Key
Get it at ldap://certserver.pgp.com
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]