It's a jungle out there

[jbredmound]

I visit my ISP's tech forum regularly, just to find out what is going on locally. There are more posts entitled "Virus?" than one can shake a stick at, and I really think that the answer to those is YES. Some of the folks know what hit them - can even identify the virus, and all of them had AVP up.Interestingly enough, our ISP uses a McAffey shield at the server level. The personal AVP's were mostly McAffey, with a couple of Norton 2001's thrown in. One had AVG.They are all describing their AVP going down, never to start up again, along with a whole bunch of registry-related dysfunctions thereafter.They all describe a two-stage attack. Well I can verify their claims. Several days ago, I was attacked by a Klez variant which my Norton snagged. Almost instantaneously, I was hit by another variant, which went by my Norton, but which was snagged by the AVG.. They were two different variants! I wish I had saved the names or something, but I was in "freaked out" mode, and just wanted them destroyed; I did look carefully at both AVP's virus IDs, and they were different. So it looks like these viruses are starting to hunt like real predators, with an initial attack from the front, and another coming in from behind to take the prey down. I really think that the only reason I did not "blue screen" in the fall was that I was running W2K and I had the patches current. The virus just couldn't get deep enough to take me all the way down. One of these folks reports that her virus came via Kazaa, and another reports that his virus came from IM. Others are not sure.Moral of the story? I am sure glad that I had 2 AVPs up when I was hit, otherwise I think I would have been floating in the debris waiting for the rescue ship.I also think everyone needs to look twice at McAffey; this really surprises me, but they are, at least anecdotally, doing the poorest job.

[Guest LilBambi]

If the virus creators start adding at least one more prong to their attacks and continue to make them more and more intuitive with their if/then type varieties ... we could start calling their creations packs of Velociraptors!Quote from http://www.warehouse23.com/item.cgi?GMG1002

Velociraptors are not the largest dinosaurs, nor the strongest, nor the scariest. ...Yet velociraptors are the most feared of all dinosaurs, for a single reason: they are smarter than humans. ...But in game worlds where raptors can observe humans and their tools, the raptors learn quickly, ...

Individually, viruses may not always to appear to be that formidible, but when combined and blended as they have been doing, as well as giving some of them 'everything but the kitchen sink' capabilities ... sure makes you wonder!

[redmaledeer]

Do you have any advice/comments/soothing words about running two AVP's on the same machine? It has always seemed like a good idea to me, but I think every time I've heard it mentioned it's been said to be difficult or inadvisable.-- Redmaledeer

[GolfProRM]

Do you have any advice/comments/soothing words about running two AVP's on the same machine?  It has always seemed like a good idea to me,  but I think every time I've heard it mentioned it's been said to be difficult or inadvisable.-- Redmaledeer

A bit of advice, don't run two real-time scanners at the same time. I'm sure LilBambi will back me up on this one. I ran McAfee (version 4.5) with AVG, and it caused all sorts of problems... Even having only one RTS but having both programs gave me problems. I decided to switch to AVG by itself, and so far so good. Don't know how Norton works with other AVPs as I've never had Norton. If you do decide to run two programs, be careful with overlapping options (email scan, download scan, etc.) as that can cause many issues. This is why I don't see the point of running more than one... if they don't overlap, you basically have only one layer of protection anyway

[quint]

Do you have any advice/comments/soothing words about running two AVP's on the same machine?  It has always seemed like a good idea to me,  but I think every time I've heard it mentioned it's been said to be difficult or inadvisable.-- Redmaledeer

Have heard that it's possible, but do not know the magical combo; what has worked for me thusfar - never a virus - is NOD32, with Amon running all the time, always install the latest updates, and periodically run on-line scans. Also, you could stay away from the "likely" sources of viruses, trojans, worms, etc. Actually, I'd rather have one good AV program and one good firewall, than two good AV's and no firewall. JMO.

[Guest LilBambi]

Well said GolfProRM!

[teacher]

...we could start calling their creations packs of Velociraptors!Quote from http://www.warehouse23.com/item.cgi?GMG1002

Velociraptors are not the largest dinosaurs, nor the strongest, nor the scariest. ...Yet velociraptors are the most feared of all dinosaurs, for a single reason: they are smarter than humans. ...But in game worlds where raptors can observe humans and their tools, the raptors learn quickly, ...

Individually, viruses may not always to appear to be that formidible, but when combined and blended as they have been doing, as well as giving some of them 'everything but the kitchen sink' capabilities ... sure makes you wonder!

Oh no, are we back to the age of dinosaurs ? Do you remember when virus protection meant don't share floppie disks? I went 18 years without ever seeing a virus and now have had two try to find their way in just this year. Last year my whole school was infected and I spent 20 hours helping our techie figure out how to get rid of it all. What a waste of the week. At least my students learned that viruses can be big trouble and to pay attention.Worse part of it all, the virus had come in through my Photoshop class when they were downloading pictures to edit!

[quint]

[quint]

Fran definitely picked a great description for those types.

[jbredmound]

Running two AVPs causes problems? Whoa, hadn't heard a word about that! In fact, I read Extreme Tech and ZDNet articles that recommended it!Expert I am not, but I have been running Norton 2003 with AVG for about 8 months now and I haven't noticed any problems.It does appear that Norton is the "lead dog", performing the first scan whenever a scan is called for.I think the "experts'" points have been more in taking advantages of two databases than anything else. I have never considered my two programs two"moats", but rather as a concerted effort.I'd like to know more about the pitfalls of running two AVP's, as I have recommended this to a number of people, and I'd like to take it back, and tell them why.

[Guest LilBambi]

I think many folks were misunderstanding what the security experts were saying about running multiple virus scanners ... they were not referring to running more than one on a desktop computer ... they were referring to running multiple virus scanners as mentioned here:

From a purely security standpoint, running multiple antivirus software packages has advantages, said Jeff Posluns, security expert and founder of SecuritySage Consulting. Using different products at file and mail servers and at the desktops adds better more layers of security.Some security experts go further and suggest running more than one antivirus software on a single system, but Posluns warns against it. "In my experience, there are sometimes false positives when a scanner reads the signature files of the other product," he said.

http://searchsecurity.techtarget.com/origi...i835212,00.html---

Cross-Product ManagementPerhaps the greatest pitfall to centralized AV management is that it may impede a defense-in-depth AV strategy. Because of the varying effectiveness of the different AV applications, security experts recommend running multiple solutions--such as running Trend on the gateway, Sophos on the e-mail servers and Symantec on the desktop. All except one management solution is proprietary, requiring enterprises to use a vendor's client applications and management console.

http://www.infosecuritymag.com/2002/may/co...ndcontrol.shtml---

One is not enoughMost press releases are self-serving, hype-ridden, mistargeted, and just plain useless. So when one arrives that's actually useful, it's a pleasant surprise, to say the least. This happened last week when GFI Software in Valetta, Malta, sent a note stressing the importance of using multiple antivirus engines to screen e-mail that enters your enterprise from the outside world. In itself, that wasn't particularly surprising. GFI rarely sends out anything that's not useful, and in this case, the company was highlighting its MailSecurity product's ability to use multiple antivirus engines at the same time. Viruses continue to be a major problem for most companies. In fact, they're getting worse. As e-mail use has grown, so have the number and the virulence of computer viruses. Yet, for most companies, the only defense against viruses is the antivirus software that resides on employees' desktop computers. You have to depend on employees to actually scan everything that comes into their computers, and thus on to your network. This is hardly a satisfactory solution. Products such as GFI's MailSecurity offload much of the antivirus heavy-lifting to an antivirus application that protects the e-mail gateway. GFI is not alone in this. There are other products, such as Novell's newly released NetMail, that support either of two engines, Symantec's Scan Engine (formerly known as Carrier Scan) or McAfee NetShield. You can also use CA's InnoculateIT. If you have only one antivirus engine, you depend on that vendor to continually update its virus definitions, and to be able to immediately identify virus-like or worm-like code when it arrives in an e-mail. Unfortunately, no antivirus engine has a perfect record. You're running a small but measurable risk. "Every engine can have an off day," says GFI CEO Nick Galea. By using multiple engines, he says you make the virus writer's job much more difficult. The same is true for hackers who try to slip a worm onto your network to gain access. "The chance is much smaller" that they could get past multiple engines, Galea says. And that is the reason why GFI supports the use of up to three antivirus engines at the same time. The BitDefender and Norman antivirus engines, which are very popular in Europe, ship with MailSecurity. A third, from McAfee, is optional. Galea says he thinks that running three engines can give an enterprise a virus catch rate of better than 99.9 percent. "You can go years between successful virus attacks this way," Galea says. Of course, having great antivirus protection on your e-mail gateway doesn't mean you can abandon your other antivirus software. You still need to have an antivirus package on every workstation because some users will use disks from dubious places, or visit virus-laden Web sites, or do one of many other things that may put your network in jeopardy. But the single biggest pathway for viruses is still your e-mail. And you can protect that.

http://techupdate.zdnet.com/techupdate/sto...2876822,00.htmlIn addition, there have been problems with the different antivirus software packages interfering with each other or causing crashes in the other AV software package. Many folks are already running a firewall and antivirus program that does heuristic scanning, which is really like having dual scanning - scanning for known threats (through definitions) and scanning for unknown threats (through heuristic scanning).From what I have read, I really believe it is more important to have one good antivirus program that does dual scanning as noted above on the desktop computer than multiple virus scanners.An added layer of protection at the mail server or gateways is a great addition to your desktop dual scanning AV software and many ISPs are already providing that whether you realize it or not. You can usually tell if they are by the addition of a statement similar to this in in a received email header:

...  with qmail-scanner-0.96 (uvscan: v4.1.40/v4156. . Clean. Processed in 0.687079 secs); 22 Apr 2003 17:25:37 -0000

I suggest saving your resources and memory for a good firewall and room to spread out and use other programs without bogging down the system.Just my 2 cents worth

[Ragnar Paulson]

Unfortunately running a virus scanner on your mail server and on your desktop is not an option for many home users. That's a business level solution and a good one.We've been running our own mail server and virus scanner for several years with desktop AV in user workstations. We have not had a single infection. It works. (We did lose one IIS machine to nimda when it was accidentally used for dial-up testing). Our mail server processes about 1500 messages/day (more spam than not ) and there is at least one virus/day. Incidentally, our firewalls and IDS report about 8000 probes a day for commom vulnerabilities (open shares and unpatched IIS probes leading the way). So it is a jungle out there. Don't go out without protection.Fortunately its pretty manageable with a little bit of common sense, policy and protection. In that order of importance IMHO.Ragnar

[jbredmound]

I'm running the Zone Alarm free edition, and every time I check it, I get a "stealth" rating. The only bog down I noted was when opening Word,but I fixed that by limiting to one virus scan.One of the comments I read above, about every system being able to have a bad day, confuses me a bit more.When I was hit by that Trojan, which totally trashed Norton, followed by a second hit before I could figure out what I was going to do, well, it was quite a moment.I think I related here that I recently had another two prong attack, but I survived unscathed, as the AVG picked up the second attacker.I don't want to say that the McAffey provided by my ISP seems totally worthless, but it seems totally worthless. So what's the downside risk, other than using some system resources, if I want to be a "contra" and keep the two systems on line. They seem to play well with each other.Another question; since I'm running W2K, do you think I could set one up to monitor just the internet, and the other do the "internal work"? It seems like I would be mimicking a "server system" and a desktop system.Do I ask hard questions? It's because I really don't trust any one solution, due to past experience. I don't like emergencies...I spent years as a Paramedic, and I got a lifetime of adrenalin rushes there.

[GolfProRM]

My thought is more power to you if you've got both running happily side-by-side. In your case, with some of the double-up problems you've seen, having both may not be a bad idea. I don't know enough about Norton as to whether or not it can be setup to work on the incoming/outgoing only or just the "it's already here", but AVG (the free edition anyway), isn't going to give you that customization. I imagine you'd have to get the full version to have anything close to those customization abilites.

[quint]

Fran,Interesting and informative reading - thank you.

[Guest ComputerBob]

Just my 2 cents worth 

I'd say that's about $100 worth. Your research, compilation, and explanation skills are excellent, Fran! Once again, you're a treasure!

[Guest LilBambi]

Thanks quint and ComputerBob!

[Cluttermagnet]

Do Norton AV and Zone Alarm play well together if you enable both to check email at the same time? I tended to disable Norton in the past, running only ZA because it seemed to catch potentially dangerous executables more often. So far, very few actual infected emails seen here- about 1 or 2 in the past 7 years- but I have had to have friends resend certain attachments after turning off ZA for email, as it has snagged a bunch of stuff that was not actually malicious but could have been.