does f-prot windows detect new virus?

hi there does f-prot detect the new Witty virus/worm?
tia.

In article <0ktu50hm4bcbv3f6aekfepueg8p42dl1qe@4ax.com>, dude@h.com
says...
> hi there does f-prot detect the new Witty virus/worm?

No... I'm not aware of any anti-virus product that can detect Witty.
Witty is a pure network worm that spreads through direct network
connections. It's code exists only in memory and is not written to disk
so there's nothing for your anti-virus software to detect.

Note: Witty isn't an issue unless you're running one of the following
products:

RealSecure® Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia? A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE? Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before

> tia.
>

Your welcome. HTH.

--
Cheers-

Jeff Setaro
jasetaro <at> mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

"Jeffrey A. Setaro" <jasetaro@SPAM.ME.NOT.mags.net> wrote

> No... I'm not aware of any anti-virus product that can detect Witty.
> Witty is a pure network worm that spreads through direct network
> connections. It's code exists only in memory and is not written to disk
> so there's nothing for your anti-virus software to detect.

According to the VIL (http://vil.nai.com) McAfee will detect it in memory
using the Extra driver available via request in conjunction with the memory
process scanning...

This will required VS 7.x with memory scanning enabled.. this may also be
possible via the Windows command line - but you would need to check that
with McAfee (sounds like it should work to me but I dont have Witty or the
Extra.Dat/4342 DATs...)

The switches for the Windows command line scanner (Scan.Exe) are:

/WINMEM Scan all Running Windows Processes.
/WINMEM=<pid> Scan the Running Windows Process With Process ID
<pid>.

At the moment the Extra driver for detection is via Request, but according
to the VIL as of now (Tuesday 15:40 UK) , this will be in the regular DATs
from tomorrow/Wednesday 24th (4342 DAT)...

Details here:

http://vil.nai.com/vil/content/v_101118.htm

Selected extracts from description:

Note: As no files are dropped on the machine by the worm, detection in the
specified DATs and later will be detection for the worm running in memory
when the machine is infected.

Detection requires VirusScan 7+, running an On Demand Scan, and scanning
memory.

Cheers,

..\/.artin

---
wra-ign0rethis-ngler the-funny-"a"-with-the-loop aye vee research dot info
no spaces no dashes just that

Sorry, replying to myself ("Hello.... ", "Hello....", "Nice computer....",
"Thanks!")

Opps!

Scan.Exe in order to use these switches needs a minimum of the 4320 Command
line scanner...

> The switches for the Windows command line scanner (Scan.Exe) are:
>
> /WINMEM Scan all Running Windows Processes.
> /WINMEM=<pid> Scan the Running Windows Process With Process ID
> <pid>.