Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

F-Secure Vulnerability; Symantec Patch/Update; Microsoft patch set; IDS Vendor Review

Published: 2005-02-11
Last Updated: 2005-02-12 00:07:37 UTC
by Handlers (Version: 1)
0 comment(s)
More antivirus vendor vulnerabilities. Follow up on how to get Symantec product fixed. Microsoft patches may break video drivers. Personal experiences with various Network detection (IDS/IPS) vendors.

F-Secure ARJ Vulnerability



In a late update to today's diary, it was released today that F-Secure AntiVirus (and related products) is vulnerable to similar problems to that of Symantec's in the past 2 days. The prime difference is that F-Secure's problem involves the ARJ archive format instead of UPX. For more details about the vulnerability and affected products please see the following URLs:







I have a feeling, that ISS is going through all antivirus products and testing them for various vulnerabilities.


As more information is released, we will add information to the diary entry. -- The Internet Storm Center Team

Symantec UPX vulnerability, ongoing



Several of you wrote in with your own thoughts and experiences on how to patch/update your Symantec software. It appears for atleast the corporate edition, you have to call Symantec, have a valid support contract, and they will provide you with an upgrade.



The handler's list was largely focused on the
. Symantec's web site seems to
indicate that they actually do have a patch for this:



"Note: Virus definitions version 70209af (extended version
2/9/2005 rev. 32) or greater contain this heuristic."




It's well worth running LiveUpdate if you haven't already.



Older unsupported versions of Symantec Anti-Virus may not have
updates available. You may be able to work around the vulnerability by
disabling compressed file scanning, but this should be a temporary fix.


Microsoft patch set: NVidia, rebooting



Dmitriy noted that the recent
block caused problems with his NVidia drivers; the system would not
go beyond VGA resolution. Simply re-installing the
drivers solved the problem.



John wrote in that around 20% of his systems entered a constant
reboot cycle after applying the Microsoft patch set. Here's what he
said:



"It turns out that the culprit is KB885250. One of the actions
the update attempts is to replace rdbss.sys. If the blue
screen/rebooting problem occurs it will be because the Windows File
Protection system detects the replacement of that file and restores it.
Of course, the update does not work with the restored version of
rdbss.sys. Hence, the blue screen/perma-reboot. The "solution" (that
is, the way to get your Windows 2000 machine functioning again) is to
enter Safe Mode and remove KB885250 via Add/Remove Programs. It will
complain that its removal will cause problems for other updates, but if
you ignore that message and click OK, your system will work again...
After KB885250 has been uninstalled, it can be installed manually
without incident."


Recent IDS deployment



In the recent past I?ve been fortunate enough to be able to deploy various Network detection technologies. Having spent the last 5 years working with these technologies I?ve seen the technology grow and change (for better or worse) I've deployed both IDS and a new IPS, and it should be getting better, right?



That being said, I recently had the opportunity to re-deploy a commercial IDS system into our environment. And let me tell you. Coming from working with Snort and other vendors product, this is by far the most cumbersome deployment I?ve seen to date. It wanted things like an IP assigned to the monitoring interface, wanted to have RMON control over the switch etc.. etc.. Before building this system, I took it out of operation, and now I can see as to why the ?Previous System Administrators? had it setup the way they did. If you didn't know better than it would seem ok to assign the IP to the monitoring interface.



Where is this story going. Well you need to do research before buying a product. There are several out there, one personally that I like is the NSS groups reports http://www.nss.co.uk"> http://www.nss.co.uk Also ?Coporate? may not always know the best product for your own environment. They may have only struck a deal with leading vendor?s, but you can always challenge this.



Again, do your research, plan and if all else fail?s use SNORT ;-)



The views expressed here are those of the handler, and do not reflect the views of the ISC.

Keywords:
0 comment(s)
Diary Archives