Red Alert - Symantec Leaves Customers Exposed

[Admin]

This afternoon our gatway virus alarm indicated an outbreak of the
MY_DOOM.F virus. We received and are still receiving very high volumes as
of 19:20 CST 02/23/04. We do not use Symantec products at the gateway
level but do on some desktops. Just out of curiosity, we pointed Norton
Antivirus 2003 at the gateway virus containment folder and guess what?
Norton Antivirus didn't pick up on the MY_DOOM.F.

Symantec's website revealed that they knew about this virus as of 02/20/04.
They further state that MY_DOOM.F will be in the LiveUpdate package as of
02/25/04. The current virus definitions that are retrieved by LiveUpdate
are 02/18/04. They also state that LiveUpdates are released on Wednesdays.
Handy info for those releasing viurses into the wild.

Whats the point of LiveUpdate checking for new definitions every 4 hours if
they aren't going to release virus definitions in a timely fashion? I know
that you can manually download new definitions ahead of LiveUpdate but I bet
a significant number of people just depend on LiveUpdate. Anyway, this may
explain the outbreak that we are seeing.

After writing the above post, I see that they have now released a 02/23/04
LiveUpdate versus 02/25/04 as of a few hours ago. Too late, the horse is
already out of the barn and they're trying to cover their butt and hoped
nobody noticed.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

 

[John Coutts]

After writing the above post, I see that they have now released a 02/23/04
LiveUpdate versus 02/25/04 as of a few hours ago. Too late, the horse is
already out of the barn and they're trying to cover their butt and hoped
nobody noticed.

******************* REPLY SEPARATER ******************
No anti-virus software is perfect and they all offer the foolish customer a
false sense of security.

AV SOFTWARE CANNOT REPLACE COMMOM SENSE AND GOOD OPERATING PRACTICE.

 

[NiteMayr]

This afternoon our gatway virus alarm indicated an outbreak of the
MY_DOOM.F virus. We received and are still receiving very high volumes as
of 19:20 CST 02/23/04. We do not use Symantec products at the gateway
level but do on some desktops. Just out of curiosity, we pointed Norton
Antivirus 2003 at the gateway virus containment folder and guess what?
Norton Antivirus didn't pick up on the MY_DOOM.F.

Symantec's website revealed that they knew about this virus as of 02/20/04.
They further state that MY_DOOM.F will be in the LiveUpdate package as of
02/25/04. The current virus definitions that are retrieved by LiveUpdate
are 02/18/04. They also state that LiveUpdates are released on Wednesdays.
Handy info for those releasing viurses into the wild.

Whats the point of LiveUpdate checking for new definitions every 4 hours if
they aren't going to release virus definitions in a timely fashion? I know
that you can manually download new definitions ahead of LiveUpdate but I bet
a significant number of people just depend on LiveUpdate. Anyway, this may
explain the outbreak that we are seeing.

After writing the above post, I see that they have now released a 02/23/04
LiveUpdate versus 02/25/04 as of a few hours ago. Too late, the horse is
already out of the barn and they're trying to cover their butt and hoped
nobody noticed.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Additionally, "Guess What" the still mime encoded version of the virus
is not the same as the not-mime encoded verison and requires an "enc" or
encoded detection in order to detect it. As far as the version of the
virus in the gateway folder goes, it is just plain text until it is
interpreted by an email client... silly rabbit.

 

[FromTheRafters]

They also state that LiveUpdates are released on Wednesdays.
Handy info for those releasing viurses into the wild.

I doubt that they even care what day of the week certain
AV products make their new detection definitions available
to the public. They know that there is *always* enough
lag time to exploit.

Whats the point of LiveUpdate checking for new definitions every 4 hours

Just in case something new is available ~ if it doesn't check, how
can it know? If you think that that is unnecessarily frequent, then
go ahead and have it check every Thursday.

if they aren't going to release virus definitions in a timely fashion?

Every Wednesday *is* in a timely fashion (specifically ~ weekly).

I know that you can manually download new definitions ahead of
LiveUpdate but I bet a significant number of people just depend
on LiveUpdate.

"Some people" just depend on blind luck too, there's just no
helping "some people". Automatic updates are just the AV
vendor's way of catering to the laziness of "some people".
If the automatic update feature weren't available then more
people would have to learn safe practices and take a more
active part in the security of their sysytem.

Anyway, this may explain the outbreak that we are seeing.

I don't really think so. No matter how fast the new definitions
are promulgated, there is always sufficient time for an outbreak.
I suppose that if they pushed harder for quicker disemination
they would run an even greater risk of having false positives
cause even more problem than that caused by the malware itself.

After writing the above post, I see that they have now released a 02/23/04
LiveUpdate versus 02/25/04 as of a few hours ago. Too late, the horse is
already out of the barn and they're trying to cover their butt and hoped
nobody noticed.

People shouldn't *depend* on AV as much as they do, but I
suppose in your case it can't be helped. Many people have a
tough job to do when they are responsible for the actions of
others. It is easier to implement an AV than it is to ensure that
all end users have a clue.

 

[Admin]

Actually, the files removed by the gateway virus scanner are not plain text,
they're mostly zip files. The new Symantec virus definitions now see the
stripped attachments as MY_DOOM.F. The point of this post is that although
LiveUpdate checks for new definitions every 4 hours, it doesn't do you much
good if Symantec waits 4 days and after the outbreak to release the
definitions. Yes, Symantec makes definitions available via the manual
Intelligent Updater before they do LiveUpdate but your average user isn't
going to check Symantec's Security Response page for current threats.
Bottom Line? Symantec dropped the ball on this one and it won't be the
last.

 

[Admin]

I doubt that they even care what day of the week certain
AV products make their new detection definitions available
to the public. They know that there is *always* enough
lag time to exploit.

True. But with Symantecs market share on the desktop, the day after the
release of the new definitions would be a good time to release a new virus.
They had a detailed witeup on this one on 02/20/04 and didn't release
definitions via LiveUpdate until 02/24/04. We detected the outbreak on
02/23/04.

Just in case something new is available ~ if it doesn't check, how
can it know? If you think that that is unnecessarily frequent, then
go ahead and have it check every Thursday.

The point is, if LiveUpdate checks every 4 hours, you'd think they would
release updates more than once a week. Especially considering how fast
these new worms are spreading.

Every Wednesday *is* in a timely fashion (specifically ~ weekly).

I suppose the 1st of every month would be in a timely fashion in the
strictest sense of the language but weekly or monthly is not very effective
for stopping fast spreading worms.

"Some people" just depend on blind luck too, there's just no
helping "some people". Automatic updates are just the AV
vendor's way of catering to the laziness of "some people".
If the automatic update feature weren't available then more
people would have to learn safe practices and take a more
active part in the security of their sysytem.

Amen.


I don't really think so. No matter how fast the new definitions
are promulgated, there is always sufficient time for an outbreak.
I suppose that if they pushed harder for quicker disemination
they would run an even greater risk of having false positives
cause even more problem than that caused by the malware itself.

I think I'd rather have an innocent attachment quarantined instead of facing
several hundred infected desktop computers

People shouldn't *depend* on AV as much as they do, but I
suppose in your case it can't be helped. Many people have a
tough job to do when they are responsible for the actions of
others. It is easier to implement an AV than it is to ensure that
all end users have a clue.

Actually, in the past, we have stripped all attachments that have the
potential to carry a viral payload and we may now do the same for zip files.
This policy has reduced our exposure to fast moving worms but users tend to
spit at the IT staff. All stripped attachments that are related to our
business are made available to the intended recipient after determing that
is clean. About 97% of these attachments are just crap in the final
analysis. For what its worth, we have NEVER been infected by a virus or
worm.

 

[Hurricane Andrew]

Actually, the once a week update is moot anyway, since whenever there is a
virus rated 3 or higher, a live update is released that day. In the case of
Mydoom.F, it was only rated a 2 until yesterday. Once enough reports were
received and it was upgraded, the live update was released on the 23rd.

 

[Admin]

Actually, the once a week update is moot anyway, since whenever there is a
virus rated 3 or higher, a live update is released that day. In the case of
Mydoom.F, it was only rated a 2 until yesterday. Once enough reports were
received and it was upgraded, the live update was released on the 23rd.

Must have been after midnight because I tried to download it late on the
23rd, but that is irrelevant. I just wonder how many of Symantecs customers
were infected because they sat on this one for 4 days. These new worms are
spreading fast and this practice is no longer acceptable.

When Grandma is connected to a broadband connection and she gets a worm from
her Grandchildren, she's gonna open it and spew to the world. Maybe if
LiveUpdate, which phones home every 4 hours, was fed some new definitions a
couple of days earlier such outcomes could be avoided.

 

[SFB]

This afternoon our gatway virus alarm indicated an outbreak of the
MY_DOOM.F virus. We received and are still receiving very high volumes as
of 19:20 CST 02/23/04. We do not use Symantec products at the gateway
level but do on some desktops. Just out of curiosity, we pointed Norton
Antivirus 2003 at the gateway virus containment folder and guess what?
Norton Antivirus didn't pick up on the MY_DOOM.F.

Symantec's website revealed that they knew about this virus as of 02/20/04.
They further state that MY_DOOM.F will be in the LiveUpdate package as of
02/25/04. The current virus definitions that are retrieved by LiveUpdate
are 02/18/04. They also state that LiveUpdates are released on Wednesdays.
Handy info for those releasing viurses into the wild.

Whats the point of LiveUpdate checking for new definitions every 4 hours if
they aren't going to release virus definitions in a timely fashion? I know
that you can manually download new definitions ahead of LiveUpdate but I bet
a significant number of people just depend on LiveUpdate. Anyway, this may
explain the outbreak that we are seeing.

After writing the above post, I see that they have now released a 02/23/04
LiveUpdate versus 02/25/04 as of a few hours ago. Too late, the horse is
already out of the barn and they're trying to cover their butt and hoped
nobody noticed.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Before you start bloating some BS: Next time use intelligent-updater instead
of live-updater.
http://tinyurl.com/3esed

 

[Admin]

Before you start bloating some BS: Next time use intelligent-updater instead
of live-updater.
http://tinyurl.com/3esed

If you would have bothered to read the post, you would have seen that I
mentioned manual updating ie. Intelligent-Updater. The point of the post
appears to have escaped you entirely.

 

[FromTheRafters]

[snip]

I don't really think so. No matter how fast the new definitions
are promulgated, there is always sufficient time for an outbreak.
I suppose that if they pushed harder for quicker disemination
they would run an even greater risk of having false positives
cause even more problem than that caused by the malware itself.

I think I'd rather have an innocent attachment quarantined instead of facing
several hundred infected desktop computers

I could be wrong, but I think a false positive problem could
affect more than just e-mail attachments.

....and as you said, with their desktop marketshare it could be quite
ugly.

Just look how ugly the Verisign glitch was.

Actually, in the past, we have stripped all attachments that have the
potential to carry a viral payload and we may now do the same for zip files.

I think that that would be prudent, it seems that XP's command
line allows even files with a .txt extensions to be "executed". So,
even a file with a TXT extension (like a cookie) could be bad. I
don't have XP and therefore can't test what eicar.txt inside the
"cookies" directory will do when invoked, but it may make having
on access scanning a must unless your on demand scanning setup
considers all so-called *safe* files (by extension) to be suspect.

This policy has reduced our exposure to fast moving worms but users tend to
spit at the IT staff. All stripped attachments that are related to our
business are made available to the intended recipient after determing that
is clean. About 97% of these attachments are just crap in the final
analysis. For what its worth, we have NEVER been infected by a virus or
worm.

Sounds like you have a good system going there.

 

[Leonard Agoado]

...

If you would have bothered to read the post, you would have seen that I
mentioned manual updating ie. Intelligent-Updater. The point of the post
appears to have escaped you entirely.

Admin,

Intelligent Updater is not limited to a manual process.

There is info at the SARC site on automating this.

I run updates automatically several times daily.


Len Agoado
(e-mail address removed)

 

[Admin]

[snip]

I don't really think so. No matter how fast the new definitions
are promulgated, there is always sufficient time for an outbreak.
I suppose that if they pushed harder for quicker disemination
they would run an even greater risk of having false positives
cause even more problem than that caused by the malware itself.

I think I'd rather have an innocent attachment quarantined instead of facing
several hundred infected desktop computers

I could be wrong, but I think a false positive problem could
affect more than just e-mail attachments.

...and as you said, with their desktop marketshare it could be quite
ugly.

Just look how ugly the Verisign glitch was.

Actually, in the past, we have stripped all attachments that have the
potential to carry a viral payload and we may now do the same for zip

files.

I think that that would be prudent, it seems that XP's command
line allows even files with a .txt extensions to be "executed". So,
even a file with a TXT extension (like a cookie) could be bad. I
don't have XP and therefore can't test what eicar.txt inside the
"cookies" directory will do when invoked, but it may make having
on access scanning a must unless your on demand scanning setup
considers all so-called *safe* files (by extension) to be suspect.

This policy has reduced our exposure to fast moving worms but users tend to
spit at the IT staff. All stripped attachments that are related to our
business are made available to the intended recipient after determing that
is clean. About 97% of these attachments are just crap in the final
analysis. For what its worth, we have NEVER been infected by a virus or
worm.

Sounds like you have a good system going there.

We began blocking all zip files as of 16:00 CST today. This most likely
will be permanent. My IT junior staff will now have to separate the good
from the bad.

 

[Admin]

...


Admin,

Intelligent Updater is not limited to a manual process.

There is info at the SARC site on automating this.

I run updates automatically several times daily.


Len Agoado
(e-mail address removed)

It's the lay person connected to a broadband connection that I'm concerned
about. Your average Joe goes to WalMart, buys Norton Anti-Virus in good
faith, installs it and expects to be protected. When he and tens of
thousands others get burned due to slow definition releases, its my
bandwidth that suffers.

 

[charles]

Intelligent Updater is not limited to a manual process.

There is info at the SARC site on automating this.

I run updates automatically several times daily.

I'd appreciate you explaining how you automate the update. Since they
change the filename for each release I have to access the site manually
to initiate the download. I've tried using wget with wildcards but have
not been successful.

Thanks.

 

[Hurricane Andrew]

I'd appreciate you explaining how you automate the update. Since they
change the filename for each release I have to access the site manually
to initiate the download. I've tried using wget with wildcards but have
not been successful.

There is a static named file that is updated. The process for automating
its download via FTP is here:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/1998122814455313

 

[SFB]

If you would have bothered to read the post, you would have seen that I
mentioned manual updating ie. Intelligent-Updater. The point of the post
appears to have escaped you entirely.

Fair enough, I reacted to your innitial post and didn't read your
follow-ups.
Never-the-less you are trying to put the problem at NAV and this doesn't
seem fair to me.
They offer two different update choices, depending on your needs.
Bare in mind that only a very small amount of infections are due to PC's
with weekly updated AV's.
I am online 24/7 and hardly ever catch a possitive from my AV, McAfee Pro.
For those at risk like in the article I already mentioned it is better to
practise safe hex and update daily.
http://tinyurl.com/3esed

Still most damage(99%) is done by none or ill protected systems and admin's
with poor knowledge of their profession according to safety(open proxies).

Don't take it too personal.

 

[charles]

There is a static named file that is updated. The process for automating
its download via FTP is here:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/1998122814455313

Thanks. Never found that one before. Works great.

 

[Tosis]

One of my clients still runs Netware 4.11 file servers. This is the only way to
keep their SAV Corp up to date as they don't have any other servers (okay, you
can *g* now). One of the workstations is scheduled to run a scripted download
and quiet update twice a day agains the main server. Everything else gets
updated from their automatically.

 

[Ceily]

I noticed last Friday (2-20), that NAV announced a few new viruses. And
also mentioned that they would be updated on Monday. (You see, they don't
work on weekends. And I can also safely assume that they are in a hurry to
get out the door on Fridays. )

That is when I decided to investigate new antivirus programs. I even sent
NAV an email that has gone unanswered as of yet.

Their intelligent updates can be downloaded M-F at the end of the business
day. And I feel compelled to get them everyday. But what about my
teenagers computer? Yikes!!!! I had to shut down her network access to my
computer since she won't update every day.

Ceily