Security Basics mailing list archives

RE: virus got past mcafee viruscan 8.7


From: "Oliver Friedrichs" <oliver () immunet com>
Date: Thu, 7 May 2009 10:23:25 -0700


There are industry accepted tests that regularly test the pro-active
detection capabilities of most leading products.  See
http://www.av-comparatives.org/images/stories/test/ondret/report20.pdf for
an example.

Oliver Friedrichs
Immunet Corporation
2741 Middlefield Road, Palo Alto, CA  94306
Office: +1 (650) 851-2546
Cell: +1 (650) 208-5151



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Michael Graham
Sent: Wednesday, May 06, 2009 2:50 PM
To: Jeffrey Walton
Cc: security-basics () securityfocus com; anand.narine () gmail com
Subject: Re: virus got past mcafee viruscan 8.7

I'm sorry, but I don't think a three year old (or more) book written
by an employee of an anti-virus vendor and published by said
anti-virus vendor is a reasonable third party reference as to whether
or not anti-virus is effective.  There's no need to debate the matter
as a theoretical.  Edit a common virus payload into an executable a
little ways past the 100th byte and upload it to
http://www.virustotal.com/ See for yourself how many of the AV engines
detect it.  Then do it before the 100th.  The difference in the two
should settle the matter for you far better than whatever I write
could.

Anti-virus just isn't particularly effective anymore except against
very common or poorly written malware.  It's great for that, but if
you have any concern whatsoever about targeted malware, 0-days, or
have a real need to "catch everything" then you should be looking to
HIPS not AV.  Signatures and byte-by-byte checking can't keep up;
watching and protecting the stack sometimes can.

As to the original question (which I probably should have answered
while ranting about how untrustworthy AV is):

The AV software is most likely being denied the ability or the
opportunity to prevent the malware from sending the spam.  That
doesn't mean that the AV software cannot still stop you from telneting
outbound to 25.  So that verification is probably invalid.

On Wed, May 6, 2009 at 2:54 PM, Jeffrey Walton <noloader () gmail com> wrote:
Could you qualify this statement? I don't believe it accurately
reflects the current state of the art in detection. For a survey, read
Szor's 'The Art of Virus Research and Defense'. I'd suspect the
malware is relatively new or otherwise has not been analysed. Perhaps
the OP should submit the malware for analysis.

Jeff

On 5/6/09, Michael Graham <jmgraham () gmail com> wrote:
Unfortunately, anti-virus isn't capable of stopping the most common or
basic of malware.  Simply moving the hostile payload beyond the first
hundred bytes or so of an executable is enough to prevent most AV
software from detecting/alerting.  Beyond that, the number of
third-party applications with serious vulnerabilities (Acrobat seems
to be this year's problem) means that relying on anti-virus to prevent
malware infection is likely to result in an unpleasant surprise.

On Tue, May 5, 2009 at 7:49 PM, Anand Narine <anand.narine () gmail com>
wrote:
Hi all
Our client workstations all have Mcafee antivirus installed, but a
virus infected on particular pc
and has been sending out spam by making outbound connections on port
25.
Mcafee viruscan 8.7 blocks programs from making outbound connections
on port 25 by
default so how did the virus get past ? I verified that the mcafee was
working since I could
not telnet to any mail server on the internet via port 25.

[SNIP]


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means you
pass the exam. Gain a laser like insight into what is covered on the exam,
with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


Current thread: