Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

McAfee/NAI rolls bad pattern

Published: 2006-03-11
Last Updated: 2006-03-11 01:29:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products.  Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
  • How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
  • Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ?  Where exactly do these patterns come from ?  Is the previous pattern version available there as well ?
Keywords:
0 comment(s)
Diary Archives