Jump to content

You Can Lead A Horse To Water......


alfred

Recommended Posts

All,

 

Each day, 7 days a week, 3 times a day, we manually review our FP's and vet them. We do this by looking at what files our users roll out of Quarantine. We examine each file. In many cases I find users who are rolling things out of Quarantine that are actually threats. In this case the roll backs are where the user, sees us (correctly) id a threat and quarantine it yet they still roll it back out of Quarantine. Nearly every time this is because the threat is masquerading as software they really want to run. In the last 24 hours 37 different Community users rolled back this SHA (and related threat name):

 

AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615

Trojan.Rootkit-1503

 

It's our biggest single item rolled out of Quarantine in the last 24 hours. The rub is, this threat is real. In fact it's Conficker.

 

http://www.virustotal.com/file-scan/report.html?id=aa0bbaecb678868e1e7f57c7ca9d61b608b3d788be490790eb1d148beadf4615-1282200455

 

Goes to show how insidious some of the packaging and social engineering can be to get people to run threats.

 

al

Link to comment
Share on other sites

Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right?

Link to comment
Share on other sites

Thanks for the info on the conficker troubles. I read somewhere that this type of malware can hide in what would otherwise be legitimate software. Something good to remember if IMP quarantines some application you think is safe. A good rule of thumb would be then, if in doubt submit the file(s) for evaluation before taking it out of quarantine, right?

 

Yes, when in doubt, submit the software. If not to us then to another AV vendor or Virus Total, Jotti etc.

 

al

Link to comment
Share on other sites

  • 3 weeks later...

At first I was curious why IMP quarantined a software program called HddLed 1.7 which I found useful since I run multiple drives. I have used this program for years with no apparent ill effects. I did some research, however, and found this version of HddLed had a Buffer Overflow Attack Vulnerability to its code and Immunet spotted the problem. For anyone not familiar with what a buffer overflow is here is a link: What Is A Buffer Overflow

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...