Comments on: Episode 61 - W32/Rbot-GLI

by: CypherBit

Sat, 28 Jul 2007 12:43:28 +0000

Is there a chance I get a hold of your AV script and the asp page?
How did you even execute this on all machines (logon script?).

Thanks in advance.

by: Andy

Tue, 17 Apr 2007 17:13:37 +0000

sorry i’m late, but symantec really stinks as you found out – I’ve found that the console only shows desktops that have checked in with in a user configurable time – say 10 days. If the pc doesn’t check in for 11 days (because it’s broken for example) then it will not be in the console and you won’t see it and realise it is not there.

For checking for websites, use iehv.exe from nirsoft and point it to the temporary internet files location – that will give you the websites that were visited and the date/time of the virus infection will tell you what site they were looking at.

The idea that symantec’s upgrade of the engine/program does not work with liveupdates or definition updates is crazy. Also the fact that the default installation for the updates also means that every machine silently reboots, which is very scary when you run this for the first time on a network and every pc shuts down – you can hear the progress from the screens.

I’ve also had symantec fail to catch virus’s that have been out for 3 or 4 years .

Sophos comes from the UK and has pretty good ratings from a lot of the virus reviewers, avg tends to get poor detection scores, fine for home users, but I wouldn’t trust it on a corporate network.

by: Claudio

Thu, 12 Apr 2007 12:01:15 +0000

We’re using Sophos at our school district as well, and so far it’s been much better than McAfee VirusScan. The Windows PCs are much more responsive compared to how slow they ran with McAfee on them.

by: Cd-MaN

Thu, 12 Apr 2007 06:59:04 +0000

Hello guys.

First of all I want to say that it was a great show as always. Regarding your virus / malware problem, here are some tips:

-You can use Web Historian (http://www.mandiant.com/webhistorian.htm) to find out the link the file came from. Most probably the page in question contained an exploit for IE and automatically downloaded and executed the file in the background. I don’t want you to accuse you of not patching the systems , I just say that this is usually how it works.

~~An other way to find out more information about a malware is to submit the file to sites which scan it with multiple AV engines (a list of which can be found on my blog: http://hype~~free.blogspot.com/2007/03/how-to-submit-suspected-malware-samples.html) and then search for the different names under which it is detected.

Also you can submit the sample to the support of your AV company directly and ask them for removal instructions (also, because you have such a great show I would like to offer a free analysis of the file – I’m a virus researcher at a AV company – send me an email if you are interested)

~~Using an AV product different from the “big two” and low reaction time can keep you protected more often (you can read about the reasons on my blog: http://hype~~free.blogspot.com/2007/04/active-vs-reactive-protection.html). A very good independent testing organization is AV-Comparatives: http://www.av-comparatives.org/

by: Andy Thompson

Thu, 12 Apr 2007 04:16:46 +0000

You guys seen Yahoo! Teachers yet?

http://teachers.yahoo.com/

Interesting, to say the least.

by: Eric Larsen

Wed, 11 Apr 2007 17:03:34 +0000

We tried both Symantec and McAfee, arrg… drop them as they are usless (as you found out). We use Sophos and not have had any virus infestations for over 8 years. We have had a few computers have viruses stopped (by Sophos) including code red, and a few others. We use Antigen on our e-mail server. Antigen was bought by MS, lets see what they end up doing with it to break it. Our Antigen uses the following scan engines on all inbound and outbound e-mail; Norman Data Defense, Microsoft AV, Sophos Anti-Virus, CA InoculateIT, CA Vet, Command, Antigen Worm List, VirusBuster, Kaspersky, and SpamCure.
We have had zero (known) viruses make it past Antigen.
FYI: Antigen is now called MS Forefront.
-Eric

by: Matt Hull

Wed, 11 Apr 2007 13:48:21 +0000

Awesome, thanks. Don’t you hate it when something that simple escapes you.

by: Claudio

Tue, 10 Apr 2007 20:54:31 +0000

The name of the site is Justin.tv.

http://www.justin.tv/

-Claudio

by: Claudio

Tue, 10 Apr 2007 20:35:21 +0000

Hey guys. I had to make a comment about Mac OS X.

I almost fell off my chair when I heard one of you (I think it was the “Mac snob” :-p ) say that OS X runs Linux under the hood. That’s incorrect. Darwin, which is an offshoot of the BSDs, is what runs under the hood. The kernel is based off of FreeBSD.

Just thought I would pass that from one Mac Snob to another.

(Actually, I love Linux, the BSDs, and OS X….can’t say that much about Windows though. :-p)

Thanks for another great podcast!

Claudio