RE: Strange servicepack.exe file (not service.exe) found.

["Kolde, Jennifer E." <jkolde () nosc mil>]

Note that McAfee VirusScan (v7.1 Enterprise, not sure about others) includes
an option to "Find potentially unwanted programs".  If this option is
selected (it is disabled by default) then McAfee will dutifully alert on
"suspect" programs such as psexec.exe (from Sysinternals' PSTools).  I have
not fully tested the range of programs it will detect / not detect - but a
quick check shows it will *not* alert on VNC, but it will alert on the
Serv-U FTP daemon, for example.

My own recent experience is that McAfee does a far better job vs.
Symantec/Norton of detecting things (even though neither app is perfect),
and the option above is a nice one to have...even if it's not a complete
solution.  You can always port scan your network to find out who's listening
on 5800 (or other port o' choice) and check to make sure those folks
*really* mean to be running something on that port.

Regards,
Jennifer Kolde


-----Original Message-----
From: John Ives [mailto:jives () cchem berkeley edu]
Sent: Wednesday, December 17, 2003 4:09 PM
To: incidents () securityfocus com
Subject: RE: Strange servicepack.exe file (not service.exe) found.


There are two answers to this.  The first is that it be a default option 
that can be turned off by support staff. the second is that IT staff could 
(while building their distribution system eg. ghost images, etc) 
pre-approve the supported app.

Of course, my perspective is always clouded by the realities of supporting 
people on a university campus.  This feature may not be necessary for 
corporations, but it would help us.

John

At 06:45 PM 12/17/2003 -0500, Rob Shein wrote:
> I can't imagine this concept working.  Imagine how users would react if VNC
> were used in the workplace (as it is in some companies I know of), and it
> popped up as a possible trojan or sign of compromise, because it's
sometimes
> used that way by hackers.  End users, who are the majority of people using
> antivirus solutions, are prone to overreaction and panic, particularly
where
> viruses are concerned.  While giving the user more information and letting
> them come to their own conclusion is theoretically the best way, actually
> implementing that solution is going to cause massive problems from a
support
> perspective.
>
> > -----Original Message-----
> > From: John Ives [mailto:jives () cchem berkeley edu]
> > Sent: Wednesday, December 17, 2003 2:05 PM
> > To: incidents () securityfocus com
> > Subject: RE: Strange servicepack.exe file (not service.exe) found.
> >
> >
> > One of the things I have noticed with Symantec (and I am sure
> > other vendors
> > do the same thing) is that files that have both good and bad uses are
> > considered good, no matter how rarely they are used that way.
> >
> > A better system would be a prompt informing the user of the
> > file's name,
> > location and any relevant information about its legitimate
> > uses and asking
> > if this was running intentionally.  If so it should take a
> > hash of the file
> > and its directory path, archive that information to a file,
> > digitally sign
> > the file and use it as a reference whenever it does future
> > scans.  If it is
> > not intentionally being run then quarantine it and notify the
> > user that, if
> > there are any problems they can un-quarantine the file by
> > doing x y and z.
> >
> > This isn't an absolute answer, because it still relies on the
> > user to make
> > sound decisions, but it would help alleviate problems caused
> > by legitimate
> > files performing illegitimate actions.

-------------------------------------------------
John Ives, GCWN, GCIH, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security,  Then you will be hacked. 
What's more,  you deserve to be hacked."   - Richard Clarke

Any opinions expressed are my own and not those of the Regents of the 
University of California. 


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------