Norton NAV doesn't see Litmus, but Symantec does

[Igor]

I have Norton antivirus. Via an scr file, I was infected with Litmus virus -- sort
of, in that the winsrv.exe package was dl'd but my Zonealarm firewall stopped it
calling out for instructions and I have killed that and the registry changes.
Anyway, when I scan the scr file locally, using the latest updates from Norton, it
does not see an infection. When I submitted the file to Symantec, it sent me an
e-mail saying that the file is infected with Litmus. (The winsrv.exe file also scans
clean locally; I have not submitted it.)

(BTW, I got sucker-punched by what I though was a standard image file in a newsgroup
I have used for a long time. I did not know that ng attachments could carry
executables. Now I know.)

I though that maybe I am between the official updates that happen on Wednesdays, IIRC
and that Litmus is new. But I see that the virus is listed by Symantec in Sept 02,
so the proper definition _should_ be in my definitions file.

Since Norton has this "firewall" against its customers comments, the only way I can
inform them about this, it seems, is to pay them for a consult. Anyway, anyone have
an idea as to what might be going on?

Also, what about these Wednesday updates? It seems that even with the "latest" virus
defs dl'd, a virus for which Symantec has created a def can be cleared on my computer
as clean -- because, the _actual_ latest defs are not included in the update until
the following Wednesday. It seems that if I were a commercial customer, things may
be actually current, but for consumers it is once-per-week. Is that right? Is there
a place that Symantec informs its customers that "current" updates are actually
delayed?

Comments please. Thanks.

 

[Blevins]

(BTW, I got sucker-punched by what I though was a standard image file in a newsgroup
I have used for a long time. I did not know that ng attachments could carry
executables. Now I know.)

..scr files are executables. And why would you think that an executable
couldn't be posted to usenet? Usenet is probably the biggest source of
viruses. Well, it was before Kazaa anyway.

 

[Jeffrey A. Setaro]

I have Norton antivirus.

Sorry to hear that... What version? Is it configured to scan .scr files
(older versions of NAV do not scan .SCR files by default.)?

[Snip]

I though that maybe I am between the official updates that happen on Wednesdays, IIRC
and that Litmus is new. But I see that the virus is listed by Symantec in Sept 02,
so the proper definition _should_ be in my definitions file.

You can download daily updates from Symantec's web site @

Since Norton has this "firewall" against its customers comments, the only way I can
inform them about this, it seems, is to pay them for a consult. Anyway, anyone have
an idea as to what might be going on?

You could try using the feedback form @
<https://secure1.symantec.com/discuss/support/feedback2.nsf/product+feed
back>

Also, what about these Wednesday updates? It seems that even with the "latest" virus
defs dl'd, a virus for which Symantec has created a def can be cleared on my computer
as clean -- because, the _actual_ latest defs are not included in the update until
the following Wednesday. It seems that if I were a commercial customer, things may
be actually current, but for consumers it is once-per-week. Is that right? Is there
a place that Symantec informs its customers that "current" updates are actually
delayed?

Sort of... See
<http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382
713>. for details.

Comments please. Thanks.

Dump NAV and switch to and switch to different anti-virus product. F-
Prot for Windows <http://www.f-prot.com> and Nod32
<http://www.nod32.com> are very good choices for home users.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[kurt wismer]

Igor wrote:
[snip description of local nav not catching what symantec can catch at
their end]

Comments please. Thanks.

check your defs and check your *engine*... old engines can't make
optimal use of new defs... also, check your installation with the eicar
standard anti-virus test file
(http://www.eicar.org/anti_virus_test_file.htm)

 

[Igor]

Thanks for the comments. I generally agree. After all my years of computer use, I
was dumbfounded/embarrassed to discover that scr files can contain bad stuff, do
execute (or cause execution), and that NGs carry bad stuff. A big gap in my
knowledge -- now plugged. I agree about the waiting room approach. Indeed, about
every 2-3 months I discover a "bad" attachment/thing that scans clean (even with a
manual def update from Symantec) that I know is bad and treat accordingly. I don't
want to be the first kid on the block _hurt_ by something. (It is funny how often I
have contacted companies about viruses, etc., and other software, hardware,
telecom/ISP problems and I hear back, "Well, if this were a problem, we would already
know about it." Then minutes/hours/days later it turns out I _was_ the first kid on
the block -- or one of them.)

IMO, a firewall that requires _outbound_ permission is indespensible to good
security. It is akin to having motion detectors in your house in addition to
switches on the windows and doors. If the switches were perfect, one would not need
motion detectors. Yet, as on liquor store near here found out a few months ago, the
bad guys can come through the (brick) wall -- and then the door and window sensors
are worthless.

Last week, I helped a nephew clean out his computer of spyware and other drek -- all
sex-related stuff. He kept telling his mom, "I didn't do this" as sex sites popped
up every few minutes. (I had to install Netscape just to get the dl's I needed to do
the cleaning.) I had to tell him that he did do it, but he just didn't know he had,
he was not "at fault", and that he had to be careful. Then a few days later, I show
my ignorance about scr files and NGs. I plan to tell my nephew about what happened
to his "savvy" uncle.

Again, thanks.

My comments may sound a little like paranoid delusions,
but you can decide for yourself whether or not they're valid.

I have Norton antivirus. Via an scr file, I was infected with Litmus virus --

Not a virus, a backdoor trojan. Not being a virus may mean that
any number of varieties of other malware could also be in that
.scr file and be unknown to the AV software.

(if it were a virus, there would be a better chance of the AV
knowing what could posibly be bundled with it, that is, if it
were a known virus and that bundle were seen often enough)

sort
of, in that the winsrv.exe package was dl'd but my Zonealarm firewall stopped it
calling out for instructions and I have killed that and the registry changes.

*Whatever* was in that .scr file *was* installed on the machine, and
submitting the .scr file to the regular submission service may only see
the known (Litmus) malware within. It is good that the firewall was
able to mitigate somewhat however by at least alerting you to some
unwanted behaviour.

Anyway, when I scan the scr file locally, using the latest updates from Norton, it
does not see an infection.

Just how far can one trust a machine, that has been perhaps
compromised by the execution of an unknown .scr file, to give
accurate results by running a local scanner?

When I submitted the file to Symantec, it sent me an
e-mail saying that the file is infected with Litmus.

...and nothing else?

I wonder how thorough they check these types of submissions,
if they merely scan it with the latest defs and give an automated
response, or if someone actually *looks* at the file?

Saying it has Litmus, does not mean it doesn't have anything
else. Just as saying "no virus detected" doesn't mean it is safe.
It only means "I looked, and didn't *recognize* anything other
than Litmus.

(The winsrv.exe file also scans
clean locally; I have not submitted it.)

(BTW, I got sucker-punched by what I though was a standard image file in a newsgroup
I have used for a long time. I did not know that ng attachments could carry
executables. Now I know.)

Good info for the *next* time.

[snip]

....It seems that if I were a commercial customer, things may
be actually current,

Current is a relative term. That is why questionable content
(imo) should be quarantined in a "waiting room" to allow
definitions for *new* malware to be added to the def set
before relying on a scan to (still falsely) allay your fears.

..unless you *want* to be the first kid on the block to
experience a new malware's payload. ;o)

 

[Igor]

Igor wrote:
[snip description of local nav not catching what symantec can catch at
their end]

Comments please. Thanks.

check your defs and check your *engine*... old engines can't make
optimal use of new defs... also, check your installation with the eicar
standard anti-virus test file
(http://www.eicar.org/anti_virus_test_file.htm)

Thanks. I have NAV 2003. The problem was, among other things, the way that Symantec
distributes new defs. (See my posts, above.)

 

[Igor]

I have Norton antivirus.

Sorry to hear that... What version? Is it configured to scan .scr files
(older versions of NAV do not scan .SCR files by default.)?

[Snip]

NAV "Professional Edition" 2003

You can download daily updates from Symantec's web site @
<http://securityresponse.symantec.com/avcenter/defs.download.html>.

It turns out that by doing a manual update I did get a definition that identified the
"malware". At best, it seems a bit peculiar that Symantec claims that it identified
Litmus in September of last year, the info page about Litmus is listed as "Last
Updated on: June 10, 2003 06:58:32 AM", and yet the most recent NAV definitions that
I can get via the so-called "Live Update" does not include a definition of the
malware that I got. So, even if Symantec were to properly, prominently tell its
consumer customers that "Live Update" is not current -- it might be a few days behind
-- in this instance it is at least weeks behind _or_ they have posted a "misleading"
description of when they issued a definition for Litmus.

You could try using the feedback form @
<https://secure1.symantec.com/discuss/support/feedback2.nsf/product+feed
back>


Sort of... See
<http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382
713>. for details.


Dump NAV and switch to and switch to different anti-virus product. F-
Prot for Windows <http://www.f-prot.com> and Nod32
<http://www.nod32.com> are very good choices for home users.

I have been reconsidering dumping both NAV and NIS (Internet Security). The latter
is, in its latest "upgrade", more rudimentary than two iterations ago. For example,
when protecting personal information in my profile, if a webform contains 3 items
from my profile NIS used to issue one warning and ask only once for permission. Now,
it asks permission each time. So, if I am using Yahoo mail and replying to an e-mail
that has 6 prior e-mails in it, each with my name (which is in my NIS profile), I am
now asked 6 times if it is OK to send the e-mail.

Thanks.

 

[FromTheRafters]

[snip]

I had to tell him that he did do it, but he just didn't know he had,
he was not "at fault", and that he had to be careful. Then a few days later, I show
my ignorance about scr files and NGs. I plan to tell my nephew about what happened
to his "savvy" uncle.

Kudo's to you on this point!
Anyone can make a mistake.

 

[Zvi Netiv]

[snip]

I had to tell him that he did do it, but he just didn't know he had,
he was not "at fault", and that he had to be careful. Then a few days later, I show
my ignorance about scr files and NGs. I plan to tell my nephew about what happened
to his "savvy" uncle.

Kudo's to you on this point!
Anyone can make a mistake.

Making mistakes is human, learning from them is divine ... ;-)