> SYNOPSIS > The default NAI/McAfee Viruscan Engine configuration does not > include .VBS in the list of program file extensions, thereby > skipping .VBS files when scanning. The VBS/Freelink virus and > possible other viruses could go undetected. <<snip>> > SUMMARY > Recently, an employee at our company got infected with the > VBS\Freelink virus. Since we have Total Virus Defense, and have > viruscan engines on our mail servers, file servers and client > machines, we were quite surprised to have trouble with a virus that > has been in the NAI DAT files since 07/07/1999 (DAT version 4035). > > A quick check told us that the default settings scan "only program > files", and that the .VBS extension was not included in the default > list of program extensions. Therefore, VBS files are skipped during > scans. The only way to update this is by adding the VBS extension > manually to the list of extensions in the client. > > We have contacted Network Associates Support about this Februari 12, > and have been in touch with them multiple times. There seems to be > some confusion about the problem at the support desk. Posting this to a "bug" list seems a tad OTT. This is a long-standing issue/problem with antivirus software. A new infection mechanism is found that renders previously non-target file types potential targets. Sometimes these are incredibly arcane and the scope of the possible infection scenario extremely limited with perhaps the feeble proof-of-concept virus encompassing the extent of the likely threat (an example from recent years is the Windows INF-scripting virus -- hardly grounds for the addition of INF files to the default "files to scan" extension/type list). The biggest "issue" here is that AV software is inherently data-driven. It is no news to the readers of this list that if you don't keep your scanner's DAT/DEF/whatever files up-to-date your scanner rapidly becomes obsolete. Oddly, in such a data-driven field, issues such as keeping virus scanner configurations up-to-date because "wise" default configuration options change due to the appearance of new virus types have not been dealt with in the same way. The "data" that you should add new file types to your config is dispersed poorly and incompletely, depending on the user stumbling across it rather having it arrive and be acted upon automatically at the place where it is most needed. I've written about this issue several times and have explicitly suggested to several developers that an "intelligent updater" option for program settings is as necessary as the technology they have developed to get millions upon millions of desktop scanners virus detection databases updated evry few days/weeks. That the AV developers have faced a rapidly increasing list of default file types to be concerned with over the last three years and seem to have mostly ignored this issue makes us cynics wonder whose interests they really hold uppermost... > WORKAROUND > Two possible solutions: > - - Add the .VBS extension to the list of program file extensions in > the on-access monitor, and the viruscan program... Keep in mind that > different viruscan programs have their own lists! - - Select "Scan > All Files" In modest-sized networks, the use of the management tools should make automating this very easy... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:11 PDT