[14211] in bugtraq
Re: NAI/McAfee Viruscan Engine does not scan .VBS files by defau
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Thu Mar 9 00:20:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <200003081136.AAA09391@fep3-orange.clear.net.nz>
Date: Thu, 9 Mar 2000 00:30:49 +1200
Reply-To: nick@virus-l.demon.co.uk
From: Nick FitzGerald <nick@VIRUS-L.DEMON.CO.UK>
X-To: Bram Kerkhof <mcafee-bugs@BUGTRAQ.E-WARENESS.BE>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <SAK.2000.03.07.abkdnrir@dilbert>
> SYNOPSIS
> The default NAI/McAfee Viruscan Engine configuration does not
> include .VBS in the list of program file extensions, thereby
> skipping .VBS files when scanning. The VBS/Freelink virus and
> possible other viruses could go undetected.
<<snip>>
> SUMMARY
> Recently, an employee at our company got infected with the
> VBS\Freelink virus. Since we have Total Virus Defense, and have
> viruscan engines on our mail servers, file servers and client
> machines, we were quite surprised to have trouble with a virus that
> has been in the NAI DAT files since 07/07/1999 (DAT version 4035).
>
> A quick check told us that the default settings scan "only program
> files", and that the .VBS extension was not included in the default
> list of program extensions. Therefore, VBS files are skipped during
> scans. The only way to update this is by adding the VBS extension
> manually to the list of extensions in the client.
>
> We have contacted Network Associates Support about this Februari 12,
> and have been in touch with them multiple times. There seems to be
> some confusion about the problem at the support desk.
Posting this to a "bug" list seems a tad OTT.
This is a long-standing issue/problem with antivirus software. A new
infection mechanism is found that renders previously non-target file
types potential targets. Sometimes these are incredibly arcane and
the scope of the possible infection scenario extremely limited with
perhaps the feeble proof-of-concept virus encompassing the extent of
the likely threat (an example from recent years is the Windows
INF-scripting virus -- hardly grounds for the addition of INF files
to the default "files to scan" extension/type list).
The biggest "issue" here is that AV software is inherently
data-driven. It is no news to the readers of this list that if you
don't keep your scanner's DAT/DEF/whatever files up-to-date your
scanner rapidly becomes obsolete. Oddly, in such a data-driven
field, issues such as keeping virus scanner configurations up-to-date
because "wise" default configuration options change due to the
appearance of new virus types have not been dealt with in the same
way. The "data" that you should add new file types to your config is
dispersed poorly and incompletely, depending on the user stumbling
across it rather having it arrive and be acted upon automatically at
the place where it is most needed.
I've written about this issue several times and have explicitly
suggested to several developers that an "intelligent updater" option
for program settings is as necessary as the technology they have
developed to get millions upon millions of desktop scanners virus
detection databases updated evry few days/weeks. That the AV
developers have faced a rapidly increasing list of default file types
to be concerned with over the last three years and seem to have
mostly ignored this issue makes us cynics wonder whose interests they
really hold uppermost...
> WORKAROUND
> Two possible solutions:
> - - Add the .VBS extension to the list of program file extensions in
> the on-access monitor, and the viruscan program... Keep in mind that
> different viruscan programs have their own lists! - - Select "Scan
> All Files"
In modest-sized networks, the use of the management tools should make
automating this very easy...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
