Andrew Berges

Configuration Manager, Security, and other musings from a self-confessed IT geek.
VirusScan Enterprise 8.7i: Enabling Artemis for On-Access Protection

Are you testing or using VirusScan Enterprise 8.7i in your enterprise?  Do you use ePolicy Orchestrator 4.0?  Are you considering implementing Artemis for On-Access scanning?

If so, then you've probably read this McAfee KB already:

<quote>
 
To enable Artemis Technology in VSE 8.7i using ePO 4.0:

On-Access Scan policy (Patch 1 for VSE 8.7i required):

  1. Launch ePO and click the Systems tab.
  2. Click the Policy Catalog tab and select VirusScan Enterprise 8.7.0 On Access Scan Policy.
  3. Select to edit the policy for Server or Workstation.
  4. Select the Scan Items tab and under Heuristic network check for suspicious files, select the Sensitivity level.
  5. Save the policy.

 <endquote>

Unfortunately, the instructions don't work. There's no such policy as the "On Access Scan Policy" -- it simply doesn't exist.

Perhaps you thought that the information in the KB was a typo, and you'd simply find it under "On-Access Default Process Policies", but you won't.  It is still missing.

After tinkering, you determine need to check in not only VSE 8.7i as a package, but also unzip the archive and install the new VSE 8.7i policies and reports as extensions.  Also, make sure to do the same with VSE 8.7i Patch 1 for the VSE policy zip, and then again with VSE 8.7i including Patch 1 (the VSE policy included is a slight increment above that installed by Patch 1).

You've done all this, right?

Nope, it's still not under "On-Access Default Process Policies".  The manual has a typo, and you'll actually find it under "On-Access General Policies" under "General - Heuristic network check for suspicious files".

Now that I've gone through the process, I thought this information might be of use to the community.  I'll be sure to write my opinions of Artemis in the near future after adequate testing.

 

VIPRE Enterprise Build 3.1.2986 Released

Sunbelt is pleased to announce that VIPRE Enterprise 3.1.2986 is now available. Server version 3.1.2986 ships with agent version 3.1.2434. To upgrade, simply download and run the latest installer: http://go.sunbeltsoftware.com/?linkid=1154.

Here is a list of the features and fixes that were added:

Server version 3.1.2986:

1. Added support for true Windows Authentication to the Console. No longer need to type in a separate user name and password.

2. Added Agent Version to Manual Deployment wizard screen.

3. Fixed bug in SQL db creation script that resulted in data not being listed in reports for buffers, archives and root kits in certain use cases.

4. After selecting Scan Archive, if the user performed another action, the Scan Archive setting would be lost.

Agent version 3.1.2434:

1. Removed the ability of the user to turn balloons on and off in the agent.

2. Fix in xml serializer to prevent service crashes.

3. Fix for the failed uninstall on a 64 bit machine.

4. Fixed the bug where working with attachments generated the "need to save" dialog.

5. Fixed the bug where the policy setting to not allow the user to control Email AV and to Turn on Email AV was not getting set properly.

6. Fixed several memory and handle leaks in the agent service.

CounterSpy Enterprise Build 3.1.2986 Released

Sunbelt is pleased to announce that CounterSpy Enterprise 3.1.2986 is now available. Server version 3.1.2986 ships with agent version 3.1.2431. To upgrade, simply download and run the latest installer: http://go.sunbeltsoftware.com/?linkid=1094

Here is a list of the features and fixes that were added:

Server version 3.1.2986:

1. Added support for true Windows Authentication to the Console. No longer need to type in a separate user name and password.

2. Added Agent Version to Manual Deployment wizard screen.

3. Fixed bug in SQL db creation script that resulted in data not being listed in reports for buffers, archives and rootkits in certain use cases.

4. After selecting Scan Archive, if the user performed another action, the Scan Archive setting would be lost.

Agent version 3.1.2431:

1. Removed the ability of the user to turn balloons on and off in the agent.

2. Fix in xml serializer to prevent service crashes.

3. Fix for the failed uninstall on a 64 bit machine.

4. Fixed the bug where working with attachments generated the "need to save" dialog.

5. Fixed several memory and handle leaks in the agent service.

McAfee Agent 4.0 Patch 1 Released

Download

McAfee KB

Resolved issues

Issues that are resolved in this release are listed below.

  1. Issue: An update dialog box appeared in English rather than the non-English language running on the system. (Reference: 389523)

Resolution: Update dialog boxes now appear in the language running on the system.

  1. Issue: When using the “/forceinstall” switch and only changing the data (/datadir=<new folder>) folder, the upgrade process did not remove the old data folder and used the new folder. (Reference: 393182)

Resolution: Now when using the “/forceinstall” switch and changing the data (/datadir=<new folder>) folder, the upgrade process removes the old data folder and uses the new folder.

  1. Issue: When the AgentEvents folder was missing, the upgrade process failed. (Reference: 393764)

Resolution: Now the upgrade process creates the AgentEvents folder when it is missing.

  1. Issue: Managed product installation routines were executed each time a deployment task ran on systems that used a language other than English. (Reference: 399232)

Resolution: Managed product installation routines now execute only when necessary.

  1. Issue: If the installation or data folder contained a double-byte character, the upgrade process failed. (Reference: 404111)

Resolution: Now the installation and data folders can contain non-English characters.

  1. Issue: When executing the VirusScan update process (mcupdate.exe) with the “/update” and “/quiet” switches, an upgrade dialog box would still be displayed. (Reference: 405004)

Resolution: The VirusScan update process now honors the “/quiet” switch.

  1. Issue: The upgrade process was checking for the existence of the “My Favorites” and “Fonts” folders. If they were not present, the upgrade failed. (Reference: 405314)

Resolution: The upgrade process no longer requires the “My Favorites” and “Fonts” folders to be present.

  1. Issue: When an error occurred during Host Intrusion Prevention policy enforcement, the system could be “locked out of the network”. (Reference: 406896)

Resolution: Now the ePolicy Orchestrator server connection information (server IP, name and port, and incoming agent wake-up port) is recorded. This allows Host Intrusion Prevention to create specific rules that allow communication to and from the ePolicy Orchestrator server, even in the absence of Host IPS policies.

  1. Issue: The name of the ePO server the system last communicated with appears in the XML log file. The value is initially blank and remained blank for a period of time after the first communication. (Reference: 407154)

Resolution: The name of the ePO server the system last communicated with now appears immediately after the last server communication.

  1. Issue: The McAfee Agent deployed managed products to Microsoft Vista or Windows Server 2008 that were not supported on these platforms. (Reference: 408989)

Resolution: Managed products are now deployed only to their supported platforms.

  1. Issue: The Mirror task created a duplicate repository, but it failed to copy the sitestat.xml file. This caused the duplicate repository to remain disabled. (Reference: 409637)

Resolution: The Mirror task now copies the sitestat.xml file to the duplicated repository.

  1. Issue: During a managed product update, a dialog box could be presented requesting a system reboot. The dialog box asked the user if they wanted to reboot now and rebooted the system even when the user selected “No”. (Reference: 410573)

Resolution: The managed product update process now honors the user's selected reboot response.

  1. Issue: Certain dates, such as leap years, were recorded incorrectly in the agent_<machinename>.xml log file. (Reference: 413415)

Resolution: All dates are now recorded correctly in the agent_<machinename>.xml log file.

  1. Issue: The McAfee Agent only updated the VirusScan engine if the minor version was newer than what was installed. This prevented the VirusScan engine from updating to a newer build of the same version. (Reference: 414065)

Resolution: The McAfee Agent now supports build-to-build VirusScan engine updates.

  1. Issue: The installation and upgrade processes failed if the data folder was located in the “Windows” or “WinNT” folders. (Reference: 415578)

Resolution: Now the installation and upgrade processes allow the data folder to be located in the “Windows” or “WinNT” folders with the exception of the system32 folder. The installation and upgrade processes prohibit the data folder from including the system32 folder.

  1. Issue: Some non-McAfee product installation routines removed critical registry entries, such as the Windows IStream COM registration, causing the McAfee Agent to fail. (Reference: 416298)

Resolution: The upgrade process now re-registers the ole32.dll file when it detects it is missing.

  1. Issue: The installation and upgrade processes failed if the installation or data folders contained double-byte characters. (Reference: 416559)

Resolution: The installation and upgrade processes now allow the installation and data folders to contain double-byte characters.

  1. Issue: Several install and uninstall error messages made no sense when displayed on a Japanese language system. (Reference: 418729)

Resolution: The upgrade process now displays meaningful install and uninstall error messages on a Japanese language system.

  1. Issue: On systems running VirusScan Enterprise version 8.0 the McAfee Agent did not remove the Temp files created during the execution of an “Agent Update Task”. (Reference: 419066)

Resolution: The McAfee Agent now removes the Temp files created during the execution of an “Agent Update Task”.

Note: This change does not remove the Temp files created during the execution of an "Agent Update Task" prior to implementing this patch.

  1. Issue: During Policy Enforcement, when the McAfee Agent failed to compile the policy file, the policy enforcement failed and the agent crashed on the next Policy Enforcement. (Reference: 423070)

Resolution: The McAfee Agent now detects failed Policy Enforcements and retries the policy compilation until it completes successfully.

  1. Issue: DAT updates were postponed indefinitely and the message “Update will be retried after 3 mins because update is already in progress” appeared repeatedly in the agent log file. (Reference: 424203)

Resolution: The DAT update process now terminates properly when it detects an error in an FTP transaction.

Posted: Dec 17 2008, 12:06 PM by aberges | with no comments
Filed under: ,
McAfee ePolicy Orchestrator Server 4.0 Patch 3 Released

Download

McAfee KB

Resolved issues

Issues that are resolved in this release are listed below.

  1. Issue: SuperAgent Repositories on Windows Vista and Windows 2008 systems did not appear as Distributed Repositories in the ePolicy Orchestrator console. (Reference: 371932, 405958)

Resolution: SuperAgent Repositories on Windows Vista and Windows 2008 systems now appear as Distributed Repositories in the ePolicy Orchestrator console.

  1. Issue: A synchronization point could not be created, edited, or deleted for the “My Organization” group. (Reference: 384135)

Resolution: A synchronization point for the “My Organization” group can now be created, edited, and deleted.

  1. Issue: Grouped Summary Table queries could not be ordered by label values when grouped by a version number column. For example, a group summary of managed systems grouped by group name and DAT version could not be ordered by the group name label and then by DAT version label. (Reference: 386121)

Resolution: Grouped Summary Table queries can now be ordered by the label values when grouped by a version number column.

  1. Issue: When configuring an Active Directory synchronization group, the “Browse” button for browsing and “Add” button for exceptions were disabled unless the user first selected an NT domain synchronization type. (Reference: 391830)

Resolution: The “Browse” and “Add” buttons are now enabled without having to first select an NT domain synchronization type.

  1. Issue: Active Directory synchronization failed when a synchronized folder name included a semicolon. (Reference: 392803)

Resolution: Active Directory folder names can now contain a semicolon.

  1. Issue: When viewing the system properties of a system that has never communicated with the ePolicy Orchestrator server, clicking on the “more” link resulted in a blank page. (Reference: 398952)

Resolution: Selecting the “more” link for a managed system that has never communicated with the ePolicy Orchestrator server no longer results in a blank page.

  1. Issue: Extra.DAT packages were not updated on Windows Vista or Windows 2008 Server managed systems. (Reference: 400563)

Resolution: Extra.DAT packages are now updated on Windows Vista and Windows 2008 Server managed systems.

Note: All Extra.DAT packages in the repository must be reinstalled before this change takes effect.

  1. Issue: The McAfee Agent failed to enforce Host Intrusion Protection rule policies when the rule name contained an angled bracket character. (Reference: 400808)

Resolution: The McAfee Agent now enforces Host Intrusion Protection rule policies regardless of the rule name.

  1. Issue: A client task with a “repeat starting at” schedule could have a repeat duration that was less than the repeat interval, resulting in the client task never running. (Reference: 401301)

Resolution: New or modified client tasks with a “repeat starting at” schedule must now have a repeat duration that is greater than or equal to the repeat interval.

  1. Issue: When viewing the results of a query for Events, the “Show Related Systems” action is not available. (Reference: 402250)

Resolution: The “Show Related Systems” action is now available for Event queries.

  1. Issue: Importing managed systems into the System Tree from a Unicode text file created erroneous entries in the System Tree. (Reference: 402271)

Resolution: An error message is now displayed when non-UTF-8 encoded text files are imported, and the System Tree is unaffected.

  1. Issue:  An updated version of the System Compliance Profiler 2.0 extension is available. (Reference: 404381)

Resolution: Version 2.0.2.191 of the System Compliance Profiler 2.0 extension is now installed during ePolicy Orchestrator 4.0 Patch 3.

  1. Issue: Running a previous upgrade a second time, after it had been successfully installed, failed. (Reference: 405288)

Resolution: The upgrade can now be run multiple times.

  1. Issue: VirusScan DAT and Engine version information was missing on Managed System Rollup queries. (Reference: 405383)

Resolution: Managed System Rollup queries now include VirusScan DAT and Engine version information.

  1. Issue: In the ePolicy Orchestrator console, the option that uninstalls the McAfee Agent from managed systems was not supported by non-Windows agents, but it was a selectable option. When this option was selected and the agents were manually uninstalled and later reinstalled, the managed systems never reappeared in the ePolicy Orchestrator System Tree. (Reference: 405859)

Resolution: A non-Windows managed system, which successfully reinstalls the McAfee Agent after a failed agent uninstall from the ePolicy Orchestrator console, now reappears in the ePolicy Orchestrator console System Tree.

  1. Issue: An ePolicy Orchestrator 4.0 upgrade failed when the SQL Server UDP port was enabled for the initial ePolicy Orchestrator 4.0 installation and disabled before upgrading. The inverse scenario also caused the upgrade to fail. (Reference: 406814, 415166)

Resolution: The ePolicy Orchestrator 4.0 upgrade no longer fails when the SQL Server UDP port was enabled for the initial ePolicy Orchestrator 4.0 installation and disabled before upgrading. The inverse scenario has also been corrected.

  1. Issue: The Synchronization Group Agent Deployment checkbox, “Force installation over existing Version,” does not remain selected after saving the Synchronization Group and accessing it again for editing. (Reference: 410246, 426930)

Resolution: The Synchronization Group Agent Deployment checkbox, “Force installation over existing Version,” now retains the selected value.

  1. Issue: Installations in clustered server environments incorrectly set the ePolicy Orchestrator services to start “Automatically.” (Reference: 410543)

Resolution: Installations in clustered server environments now correctly set the ePolicy Orchestrator services to start “Manually.”

  1. Issue: The managed system name is truncated to a length of 14 characters on the ePolicy Orchestrator console “Systems” tab. (Reference: 410779)

Resolution: The column “DNS Name,” containing a “Fully Qualified Domain Name,” can now be selected as the managed system name on the ePO console “Systems” tab.

  1. Issue: The import policies process did not verify the ownership of the existing policies, which could result in policies being overwritten by users other than the owner. (Reference: 410917)

Resolution: The import policies process now verifies the ownership of the existing policies and prevents policies from being overwritten by users other than the owner.

  1. Issue: Changes to existing policies were not recorded in the Audit Log. (Reference: 412589)

Resolution: Changes to existing policies are now recorded in the Audit Log.

  1. Issue: The ePolicy Orchestrator Alerting extension, used by Rogue System Detection 2.0, was not localized. (Reference: 412661)

Resolution: The ePolicy Orchestrator Alerting extension is upgraded to a localized version, on ePolicy Orchestrator servers with Rogue System Detection 2.0 installed.

  1. Issue: The ePolicy Orchestrator server failed to respond if a corrupt package file was checked in. (Reference: 413466)

Resolution: The ePolicy Orchestrator server responds correctly when a corrupt package file is checked in.

  1. Issue: Editing a client task could result in the error message “An Unexpected error occurred” being displayed in the ePolicy Orchestrator console. (Reference: 413963)

Resolution: Editing client tasks no longer results in unexpected errors.

  1. Issue: Client tasks, for managed product extensions that do not have a default policy, were not available for configuration. (Reference: 415739)

Resolution: Client tasks, for managed product extensions that do not have a default policy, are now available for configuration.

  1. Issue: An ePolicy Orchestrator 4.0 upgrade stopped installing the included managed product extensions after the first failure was discovered. (Reference: 415974)

Resolution: An ePolicy Orchestrator 4.0 upgrade now attempts to install each of the included managed product extensions, even if an error occurs during the installation of a previous managed product extension.

  1. Issue: When the ePolicy Orchestrator server did not have a “Master Agent to Server Communication Key,” the ePolicy Orchestrator 4.0 upgrade failed leaving the ePolicy Orchestrator server in a non-functional state. (Reference: 419859)

Resolution: The ePolicy Orchestrator 4.0 upgrade now verifies the ePolicy Orchestrator server has a “Master Agent to Server Communication Key” before it starts the upgrade.

  1. Issue: An updated version of the Host Intrusion Prevention 7.0 extension is available. (Reference: 422819)

Resolution: Version 7.0.1.133 of the Host Intrusion Prevention 7.0 extension is installed during the ePolicy Orchestrator 4.0 upgrade.

  1. Issue: The “delayload.log” file could grow without limit in the root (C:\) of the ePolicy Orchestrator server. (Reference: 425738)

Resolution: The “delayload.log” file is no longer used.

Note: The ePolicy Orchestrator 4.0 upgrade process does not remove existing “delayload.log” files.

  1. Issue: Event queries could not be chained to ePolicy Orchestrator server task actions. (Reference: 427217)

Resolution: Event queries can now be chained to ePolicy Orchestrator server task actions.

  1. Issue: Server tasks could not run an event query that was chained to these actions: apply, clear, or exclude tag actions. (Reference: 427708)

Resolution: Server tasks can now run an event query chained to these actions: apply, clear, or exclude tag actions.

  1. Issue: The “View Logs” button could fail to display the correct installation log files after an ePolicy Orchestrator 4.0 upgrade failure. (Reference: 429819)

Resolution: The “View Logs” button now displays the main installation log files after an ePolicy Orchestrator 4.0 upgrade failure.

  1. Issue: An initial ePolicy Orchestrator 4.0 installation, on a system with a local MSDE database and the UDP port disabled, could result in incorrect ePolicy Orchestrator service dependencies. (Reference: 430390)

Resolution: The ePolicy Orchestrator 4.0 upgrade repairs the ePolicy Orchestrator service dependencies for systems installed with a local MSDE database and the UDP port disabled.

  1. Issue: Miscellaneous language translation and localization issues were reported. (Reference: 429847, 430581)

Resolution: The reported language translation and localization issues were addressed.

  1. Issue: An updated version of the ePolicy Orchestrator Help extension is available. (Reference: 433198) 

Resolution: Version 1.0.6 of the ePolicy Orchestrator Help extension is now installed during the ePolicy Orchestrator 4.0 upgrade.

  1. Issue: Inconsistent event times would appear in the Server Task Log. (Reference: 417725) 

Resolution: The problem of inconsistent event times appearing in the Server Task Log after applying patches has been fixed.

  1. Issue: Console logons using NT authentication, worked only when the ePolicy Orchestrator console was located in a domain where a two-way trust existed between the console and ePolicy Orchestrator server domains. (Reference: 395894) 

Resolution: Authentication support for multiple domain controllers has been added to the product. (For more information see KB article: 616709)

  1. Issue: The date formats are incorrect for the English (United Kingdom) locale. (Reference: 362588) 

Resolution: A new choice of English (United Kingdom) has been added to the Language drop-down list of the ePolicy Orchestrator Logon screen. 

  1. Issue: When installing managed product extensions on ePolicy Orchestrator, the installation could fail with the message: “ERROR: java.lang.OutOfMemoryError: PermGen space.” (Reference: 407724) 

Resolution: The PermGen Memory allocation size has been increased to 128 MB on clean installations and upgrades. (For more information see KB article: 615843)

  1. Issue: There was a performance bottleneck when processing a large number of unrelated dashboard requests. (Reference: 407724) 

Resolution: Performance has been improved to allow many users to view the dashboard.

  1. Issue: Dashboard related caching is not functioning correctly, which caused the user to see stale data. (Reference: 411646) 

Resolution: Dashboard caching has been fixed so the user views the most current data. 

  1. Issue: An unexpected error occurred while creating a query using a Grouped Bar Chart with Boolean types of data. (Reference: 415069)

Resolution: Grouped Bar Charts now correctly display data when using any of the supported data types.

  1. Issue: Drilling down into a chart, a user could see an unexpected error page if there was a null value in the returned time field. (Reference: 413954, 419692) 

Resolution: Chart drill-down now works as expected and no longer returns an error when drilling down into null time-based reports.

  1. Issue: Some international characters caused problems in the server log details page. (Reference: 411088) 

Resolution: Log entries are now correctly formatted prior to being written to the server task log.

  1. Issue: Some valid characters caused problems when user names or passwords were typed in the ePO installer. (Reference: 395890)
Resolution: The installer now accepts all valid characters for ePolicy Orchestrator user names and passwords, including all NT authentication-allowed characters.
Posted: Dec 17 2008, 12:06 PM by aberges | with no comments
Filed under: ,
McAfee Rogue System Detection 2.0 Patch 1 Released

Download

Resolved issues

Issues that are resolved in this release are listed below.

  1. Issue: Selecting the “Next Page” while viewing “Managed Machines” caused this message to be displayed: “An Unknown Error has Occurred.” (Reference: 427453)

    Resolution: Now when you view a subnet containing more than a single page of system information and you select “Next Page,” the requested information is properly displayed.

  2. Issue: The columns on the “Managed Systems for Subnet” page did not sort when selected.   (Reference: 430417)

    Resolution: Now when you select a column on the “Managed Systems for Subnet” page, the page is properly sorted.

  3. Issue: Although the Rogue System Detection Sensor deployment task would run, the Rogue System Detection Sensor was not updated. (Reference: 415191)

    Resolution: The Rogue System Detection Sensor deployment task now supports build-to-build upgrades.

  4. Issue: The “Detected Systems Details” page displayed the “Last Detected IP Address” with NULL IP addresses as “unknown error.” (Reference: 431047)

    Resolution: The “Last Detected IP Address” on the “Detected Systems Details” page now displays NULL IP addresses as “blank.”

  5. Issue: Rogue System Detection only allowed domain names of up to 16 characters in length. (Reference: 431049)

    Resolution: Rogue System Detection now allows domain names of up to 255 characters in length.

  6. Issue: The Rogue System Detection Sensor Service was incorrectly described in the “Services” pane of the “Computer Management” window. (Reference: 423608)

    Resolution: The Rogue System Detection Sensor Service is now described as “Performs broadcast and DHCP detection.”

Posted: Dec 17 2008, 12:04 PM by aberges | with no comments
Filed under: , ,
McAfee Host Intrusion Prevention Server 7.0.1 Extension Released

Download

New features

New and updated features in the current release of the software are described below:

7.0.1

  • Management of version 6.1 clients from ePolicy Orchestrator 4.0 patch 1 when the 6.1 extension is installed.
  • Migration of version 6.x policies to version 7.0 by running a server task from ePolicy Orchestrator 4.0.
Posted: Dec 17 2008, 12:00 PM by aberges | with no comments
Filed under: , ,
McAfee Host Intrusion Prevention Version 7.0.0 Patch 3 Released

Download

McAfee KB

New Resolved Issues

Host IPS 7.0 Patch 3 resolves a number of stability issues seen on high availability servers, domain controllers, and backup servers.  In addition, the following customer issues were also resolved:

Issue: Tivoli does not function when using Check Point VPN-1 Client when Connection Aware Group firewall rules are applied. (Reference: 425392)

Resolution: Connection Aware Group matching failed with inbound traffic with some IPSec VPNs. The Connection Aware Group matching logic was extended to handle IPSec VPN re-routing of inbound traffic to the physical adapter’s NDIS miniport instance.

Issue: Unable to connect to HTTPS server when a client is connected with T3G wireless network connection. (Reference: 414155)

Resolution: Unsolicited inbound traffic was not being matched by the Connection Aware Group.  The Host IPS Firewall will now use the IP address, instead of the MAC address, when matching traffic for Connection Aware Groups.

Issue: The Host IPS client does not block all SQL injections on a single IIS 6 server hosting multiple sites. (Reference: 419431)

Resolution: The ISAPI filter stub tracked the engine status using a single value even when multiple instances of the stub were loaded. Each ISAPI filter stub instance now tracks its respective engine status.

Issue: System stops responding or ‘hangs’ at shutdown because of incompatibility with NetMotion VPN. (Reference: 426645)

Resolution: In certain circumstances, a specific Windows API used during shutdown caused the system to stop responding. This API is no longer used during shutdown.

Issue: TCP traffic is blocked when firewall rules use short path names. (Reference: 414249)

Resolution: The firewall drivers, which failed to convert a short path name to a long form, now obtain a long form of a short path name before matching the rules.

Posted: Dec 17 2008, 11:59 AM by aberges | with no comments
Filed under: , ,
SANS Internet Storm Center; Adobe Reader vulnerability exploited in the wild

Adobe Reader vulnerability exploited in the wild

Published: 2008-11-07,
Last Updated: 2008-11-07 15:54:09 UTC
by Bojan Zdrnja (Version: 1)

0 comment(s)

One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).

Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:

var num = 129999999999999999…. [a lot of numbers]
util.printf("%45000f",num);
However, the exploit code in the wild has the following loops:
var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);
See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.
In any case, if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild.
--
Bojan

CounterSpy Enterprise 3.1 Maintenance Release

Just posted to the web at the below URL:

http://go.sunbeltsoftware.com/?linkid=400

List of fixes below:

Enterprise Console and Service: (Agent fixes/features are further down).

1. Removed Custom Reports from UI and Service.

2. Added support for Agent Shutdown/Agent Start from Console.

3. Give the administrator the ability to Unquarantine and send to Sunbelt for Analysis.

4. Changed name of Sunbelt Software Research Center to Sunbelt Malware Research Labs.

5. Added Force Full Threat DB Update for selected agents on Agents & Policy Grid.

6. Removed Custom from Admin Known Good/Bad controls (Not necessary).

7. Allow end-user to manually edit Known Good/Bad files and folders. Also disallow the addition of invalid file names and paths and wildcards for file names.

8. Added tab in Policy for Agent Proxy settings.

9. Allow end-user to delete System Message at both Agent and System levels.

10. Added "Archives" checkbox to scanning tab in the policy.

11. Added admin ability to turn on/off On-Access file extensions from the console.

12. Fixed bug that resulted in "Rootkit Scanned" being displayed as the title for "Rootkit Found".

13. Cleaned up the Known Good/Bad file dialogs and grids.

14. Fixed context menu on the agents/policy grid to enable/disable entries properly in sub-menus.

15. Changed minimum agent version to 3.1.2300 to support Unquarantine and Send for Analysis.

16. Added support for migrating SystemMessage table from MSAccess to SQL.

17. Added Power Management Tab to UI and settings to the policy.

18. Enable remote starting of service from console on logon, if service is not running. User must be admin on box running service.

19. Added Ping Agent, Say Hello and Check for Policy Update to Advanced Sub-menu of agents & policy control context menu.

20. Fixed bug on console that disabled File menu if a connection w/ the server was lost.

21. Added ability to report back to admin if Unquarantine or Delete from Quarantine failed.

22. Reworded Power Management tab, changed the order of the items to match consumer UI.

23. Fixed "Perform quick scan approximately..." so that it saves data to the policy.

24. Prevented logging of error messages to the System Messages table in the DeferredWorkQueueHandler, this could result in deadlock.

25. Enhanced code that Pings an agent box, pinging by both Machine Name and IP and presenting the results of both pings in a dialog after completion of the ping.

26. Added the ability to turn off information balloons in the policy

Agent:

1. Add a System Event for missed scheduled scans.

2. Added logic to report when a quarantine, unquarantine or delete from quarantine action failed.

3. Added logic in the service to set the services display name in Service Control Manager to the Product Name Long or Enterprise Product Name Long string in the resource file.

4. Added the definitions version to the hover text for the main tray icon.

5. Changed ALL history lists to sort in reverse chronological order by default.

6. Added logic to the tray to provide an Active Protection snooze feature. The user can turn AP off for a few minutes.

7. Added logic to disable AP when a machine is started in safe mode.

8. Added logic to not start tray in safe mode.

9. Fix bug where Quick/Deep Scans were not always scanning all local drives.

10. Changed the label "Risk definitions" on the overview panel to "Definitions version".

11. Removed the seconds from the definitions date/time on all screens.

12. Added logic to the Enterprise Agent dll to not send Hello calls when the machine is on battery and in power save mode.

13. Added code in the Enterprise Agent to recognize the Service State of Paused and stop sending Hello calls to the service.

14. Added a double click handler for the warning icon. It will perform the first item on the warning icon context menu.

15. Create an option that allows user to specify auto shutdown of computer once manual scan has completed (non-sticky).

16. Fix code that shows, "Bad Date Format" when there are no definitions present.

17. Added a browse button on the Safe Mode UI where a user can manually apply a definitions file that they downloaded.

18. Added a browse button on the UI Update settings page where a user can manually apply a definitions file that they downloaded.

19. Fixed a bug where the Scan Archives was not being properly set for the Enterprise Agent.

20. Removed the software version from the updates section of the overview panel.

21. Scan history panel. Changed the "Date" column headers to say "Date/Time". Also changed scan history to use the start date/time not end date/time of the scan.

22. Scan history panel. Changed column label, "Risks Total" to "Total Risks".

23. Scan history panel. Changed label for days to keep history to from, "Delete history files older than 15 days" to "History files older than 15 days will be deleted".

24. Change enterprise agent to set the sku config for the UI to always show the proxy settings tab.

25. Added support in the Enterprise Agent dll for reporting a possible False Positive as part of Unquarantine.

26. Added support in the Quarantine Panel for reporting a possible False Positive as part of Unquarantine or directly from the quarantine list.

27. Added logic in the Enterprise Agent to support a deferred work item from the service to force a definitions update.

28. Added scanner and cleaner errors to scan results xml file (threat engine).

29. Fixed Rootkit bug that could casuse BSOD.

30. Added more parameter validation in process scanning.

31. Fixed bug in the UI where Update Dialog breaks during application of multiple incremental Updates.

32. Fix AP bug where AP did not detect threats on some removable USB devices on XP SP2 and possibly other OSs.

33. Fixed a bug in the Threat Engine where one of the traces of the CommonName threat was not being detected.

34. Fixed a bug in the Enterprise Agent where cookies were only scanned for a custom scan but not quick and deep when initiated from the agent console.

35. Fixed a bug where the Enterprise Agent would show as a consumer UI when installed but could not communicate with the Enterprise service.

36. Added option to hide all balloons shown by the tray.

37. Added a policy setting from the Enterprise service to allow the admin to show/hide tray balloons.

38. Added two tray menu items; Show Balloons and Hide Balloons.

39. Fixed bug in Threat Engine where it was always calculating an MD5 for every file scanned by AP On Access.

40. Prevent premature scheduled Risk Definitions and Software Updates on wake for scheduled scans.

41. Junction point bug fix in boot time scanner and root kit engine.

42. The right click scanner shell extension was loading the resource dll one per second on Vista. Fixed to only load SBAMRes.dll once per right click 43. Fixed bug where VIPRE was not rescheduling updates when they were canceled. (Update intervals being ignored)

44. Added logic to the Enterprise Agent SOAP class to set the timeout parameter for calls to the Enterprise service. This helps resolve SOAP error 5 communications errors. Added to the policy so the Admins can change it.

45. Fixed bug where items that are moved from quarantine to always allowed aren't all making it to the always allowed section.

 
Adobe PSIRT: Clipboard attack update

Here's a quick update to note that we will be changing the way Flash Player interacts with the clipboard to help prevent the potential clipboard attacks that have been reported recently. Please see the following Article on security changes in Flash Player 10 for more information. These changes will be available in the final Flash Player 10 release soon.

This posting is provided “AS IS” with no warranties and confers no rights

Clipboard attack update

Posted: Sep 26 2008, 02:09 PM by aberges | with no comments
Filed under: ,
McAfee VirusScan Enterprise 8.7i Released

New and updated features in the current release of the software:

Support for Microsoft Windows Server 2008

This release provides support for Windows Server 2008 (Longhorn).

Architectural changes

· VirusScan Enterprise incorporates some significant architectural changes that affect the manner in which the VirusScan Enterprise 8.7i core components work. These changes result in greater security benefits to customers, including:

· Better rootkit detection and cleaning without system restart — Safe memory patching, better IRP repair support at the system core, and the ability to read locked files at the kernal level provide better rootkit detection and the ability to clean detections without restarting the system.

· On-access scan performance improvements during system startup — A new boot cache process improves on-access scan performance during system startup.

· Greater self-protection — The self-protection feature has been enhanced to protect against a wider range of mal-processes that can terminate McAfee processes. This provides greater VirusScan Enterprise self-protection and product stability.

· Real-time malware protection

A new feature, Heuristic network check for suspicious files, provides customers with real-time detections for malware.

This feature uses sensitivity levels that can be configured, based on your risk tolerance, to look for suspicious files on your endpoints that are running VirusScan Enterprise 8.7i.

When enabled, this feature detects a suspicious program and sends a DNS request containing a fingerprint of the suspicious file to McAfee Avert Labs, which then communicates the appropriate action back to VirusScan Enterprise 8.7i.

The real-time defense feature also provides protection for classes of malware for which signatures might not be available.

This protection is in addition to the world-class DAT-based detection VirusScan Enterprise has always provided. The user experience remains the same and no additional client software is required.

In this release, this feature is available only for on-demand scans and email scanning and is disabled by default. You must select a sensitivity level to enable the feature.

Performance improvements

These changes improve performance.

· New scan deferral options improve local control of on-demand scans, including the ability to defer scans when using battery power or during presentations. One option can be configured to allow end users to defer scheduled on-demand scans for the increment of time you specify. You can specify hourly increments up to twenty-four hours, or forever.

· Enhanced system throttling now includes registry and memory scanning in addition to file scanning.

· Improved email scanner

The email scanner now supports double-byte and multi-byte languages. This improves detection reliability.

· Buffer overflow protection exclusions by API

The ability to specify buffer overflow exclusions by API was removed from VirusScan Enterprise 8.5i, but has been reinstated for the VirusScan Enterprise 8.7i release. The API exclusion name is case-sensitive.

· On-access scanner — Scan processes on enable

A new feature, Scan processes on enable, scans processes that are already running when the McShield service becomes enabled. When the McShield service starts, the scanner examines any process that is already running and any process as it is launched.

· On-demand scan usability improvements

When initiating an on-demand right-click scan, you can now choose an action to take on items detected by the scan. These options are available:

· Clean — Report and clean the detection.

· Continue — Report the detection and continue scanning.

Posted: Sep 26 2008, 02:07 PM by aberges | with no comments
Filed under: ,
SunbeltBlog: CounterSpy Enterprise 3.1 ships

Screenshot here:

http://sunbeltblog.blogspot.com/2008/08/counterspy-enterprise-31-ships.html

This is a big upgrade to their product.  I'm quite excited to deploy it in our environment as the performance increase and definition overhead decrease have been talked about on their mailing lists for months now.  I'll be sure to post my impressions when I begin testing.

More info on the product can be found here:

http://www.prweb.com/releases/2008/08/prweb1223244.htm

Adobe PSIRT: Flash Player "Clipboard Attack"

http://blogs.adobe.com/psirt/2008/08/clipboard_attack.html

We are aware of recent press reports about a potential “Clipboard attack” issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide.

More information and links available from the below source:

http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/

CVE-2008-3648: Remote Code Execution Exploit with Windows XP nslookup.exe

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3648

Overview

nslookup.exe in Microsoft Windows XP SP2 allows user-assisted remote attackers to execute arbitrary code, as demonstrated by an attempted DNS zone transfer, and as exploited in the wild in August 2008.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 9.3 (High) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 8.6
Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information , Allows unauthorized modification , Allows disruption of service

More Posts « Previous page - Next page »