Should NAV have caught "Blaster" ?

A friend of mine is running a small network with Norton A/V
on several systems, all set to do "live update". Last week
several of the machines became infested with the Blaster
worm.

I removed it and got him rolling again... but should Norton have
caught "blaster" before he got infected ? It was days past the point
when Blaster had been found by everyone and there was already a
"fix" at the Norton site... so I would have thought Norton would have
caught it. Does this indicate that he has a problem with his
live update and/or periodic scans ?

Thanks,
J

"Jimmy" <none@causeIhatespam.com> wrote in message
news:ukqflvgv6rc021ccr47k7i92bkpkk26qqe@4ax.com...
> A friend of mine is running a small network with Norton A/V
> on several systems, all set to do "live update". Last week
> several of the machines became infested with the Blaster
> worm.
>
> I removed it and got him rolling again... but should Norton have
> caught "blaster" before he got infected ? It was days past the point
> when Blaster had been found by everyone and there was already a
> "fix" at the Norton site... so I would have thought Norton would have
> caught it. Does this indicate that he has a problem with his
> live update and/or periodic scans ?
>
> Thanks,
> J

If his systems had been patched, Blaster would not have been a problem.

"Jimmy" <none@causeIhatespam.com> wrote in message news:ukqflvgv6rc021ccr47k7i92bkpkk26qqe@4ax.com...
> A friend of mine is running a small network with Norton A/V
> on several systems, all set to do "live update". Last week
> several of the machines became infested with the Blaster
> worm.
>
> I removed it and got him rolling again... but should Norton have
> caught "blaster" before he got infected ? It was days past the point
> when Blaster had been found by everyone and there was already a
> "fix" at the Norton site... so I would have thought Norton would have
> caught it. Does this indicate that he has a problem with his
> live update and/or periodic scans ?

If you didn't patch the vulnerability that Blaster exploits,
then you probably didn't prevent the worm executable
from being downloaded. The AV should have been able
to prevent the executable from being executed though.
How did you determine that it was Blaster? Did the AV
find it in a tftp***** file?

Perhaps but I have found NAV 2002 inadequate and have upgraded to 2003. Also
added a firewall and pop-up killer.

"Jimmy" <none@causeIhatespam.com> wrote:

> A friend of mine is running a small network with Norton A/V
> on several systems, all set to do "live update". Last week
> several of the machines became infested with the Blaster
> worm.
>
> I removed it and got him rolling again... but should Norton have
> caught "blaster" before he got infected ? It was days past the point
> when Blaster had been found by everyone and there was already a
> "fix" at the Norton site... so I would have thought Norton would have
> caught it. Does this indicate that he has a problem with his
> live update and/or periodic scans ?

What version of NAV?

How often is it checking for updates?

Has he kept his update subscription up-to-date?

Was he really infected or was NAV just detecting the virus .EXEs being
dropped to his disks through the vulnerability?


--
Nick FitzGerald

On Fri, 5 Sep 2003 21:55:54 +1200, "Nick FitzGerald"
<nick@virus-l.demon.co.uk> wrote:


>What version of NAV?
>How often is it checking for updates?
>Has he kept his update subscription up-to-date?

I think it's 2002 but I'll have to check. He had several machines to
be cleaned and I didn't have a lot of time to look at Norton aside
from determining that it was running. I ran live-update on one
machine and it wanted to update some components but it did not appear
that the virus def's themselves needed updating. I can recheck and
see what they are doing. The liscenses are up to date on some of
the machines that were updated.

>Was he really infected or was NAV just detecting the virus .EXEs being
>dropped to his disks through the vulnerability?

I found "ms-blast" running on some machines. I ran the Norton detect &
remove tool and it found blaster and removed it. Systems had some
really odd things happening before removal such as Word, Excel, and
some other business apps throwing errors as if they were totally
misconfigured or perhaps a disk had gone bad. After removal and patch,
they were fine.

It sounds like you are saying that Norton should have caught it if
everything was properly configured. I'm thinking that I have to go
back and figure out why these systems may not have properly
updated or did not monitor properly.

Is it correct to assume that if the real-time monitor was running and
the AV updates were done that "blaster" would not have been able to
infect the machine ?

Thanks,
J

Jimmy wrote:
>
> Is it correct to assume that if the real-time monitor was running and
> the AV updates were done that "blaster" would not have been able to
> infect the machine ?

Just to be precise, the worm could still attack the machine and force its
way past the vulnerable point, but a properly configured and up to date
virus scanner should certainly have prevented the code from being executed.

Of course given that the patch was available from Microsoft for a month
before blaster hit, I'm going to take a risk on assuming that anyone who
failed to patch their machine also doesn't have their AV setup correctly
and/or up to date.

On Sun, 7 Sep 2003 08:56:43 +0100, "Robert Moir" <bofh@mvps.org>
wrote:

>Of course given that the patch was available from Microsoft for a month
>before blaster hit, I'm going to take a risk on assuming that anyone who
>failed to patch their machine also doesn't have their AV setup correctly
>and/or up to date.

I hear ya. As a qualifier... they ain't my machines :-)

I am mostly interested in using the fact that Norton didn't catch it
as a metric to tell me that they do in fact have something wrong with
their setup. Now at least I know that I have to go back and hunt down
what is wrong with the Norton installation. Helping them to get on a
routine of installing windows updates as issued is another problem I
need to help him with.

Thanks,
J