Multiple AV vendor vulns - archived

[AplusWebMaster]

FYI...

AVG 8.5 vuln - updates available
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1784
Last revised: 05/26/2009
CVSS v2 Base Score: 10.0 (HIGH)

- http://xforce.iss.net/xforce/xfdb/50426
... Platforms Affected:
* AVG, AVG Anti-Virus 6.0.710
* AVG, AVG Anti-Virus 7.0
* AVG, AVG Anti-Virus 7.0.251
* AVG, AVG Anti-Virus 7.0.323
* AVG, AVG Anti-Virus 7.1.308
* AVG, AVG Anti-Virus 7.1.407
* AVG, AVG Anti-Virus 7.5.448
* AVG, AVG Anti-Virus 7.5.476
* AVG, AVG Anti-Virus 8.0
* AVG, AVG Anti-Virus 8.0.156
Remedy: Upgrade to the latest version of AVG (8.5 build 323 or later), available from the AVG Web site...

Program update AVG 8.5.323 SP1
- http://www.avg.com/223363
... Fixes
• Core: Fixed problem with crash while scanning PDF files.
• Core: Fixed occasional crash of scanning engine.
• Core: Fixed problem of crash while healing Mozilla Firefox 3 cookies.
• Core: Fixed problem with processing slowdown during Resident Shield scanning LNK files.
• Core: Fixed problem with ZoneAlarm incompatibility.
• Core: Fixed problem with missed detection in corrupted *.cab and *.zip archives (thanks to Thierry Zoller)...

[AplusWebMaster]

FYI...

McAfee false positive...
- http://www.theregister.co.uk/2009/06..._update_snafu/
9 June 2009 - "A recent McAfee service pack led to systems being rendered unbootable, according to posts on the security giant's support forums. The mandatory service pack for McAfee's corporate Virus scanning product, VSE 8.7, was designed to address minor security bugs but instead tagged windows system files as malware. The software update was issued on 27 May and pulled on 2 June, after problems occurred. Users were advised to keep the patch if they'd already installed it in a low-key announcement on McAfee's knowledge base*. Posts on McAfee's support forum** paint a different picture of PCs and server left unbootable after the update had automatically deleted Windows systems files wrongly identified as potentially malign..."
* https://kc.mcafee.com/corporate/inde...ent&id=KB65943
June 08, 2009
** http://community.mcafee.com/showthread.php?t=231060

[AplusWebMaster]

FYI...

F-secure - Mail relay vuln - update available
- http://www.f-secure.com/en_EMEA/supp...sc-2009-2.html
2009-06-16 - "...Specially crafted messages may be used to bypass mail relay restrictions.
Mitigating factors:
* The issue only affects systems where the SMTP Turbo module is used for mail distribution.
* Incorrectly relayed messages still pass through spam filtering, which decreases the vulnerability’s usefulness for spam relaying.
Affected platforms: All supported platforms
Products: F-Secure Messaging Security Gateway 5.5.x...

- http://secunia.com/advisories/35475/2/
Release Date: 2009-06-16
Critical: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
OS: F-Secure Messaging Security Gateway P-Series, F-Secure Messaging Security Gateway X-Series...
Solution: The vendor has fixed the vulnerability in patch 739, delivered automatically to affected systems. Approve the installation of patch 739 for systems not configured for automatic patch installation...

[AplusWebMaster]

FYI...

ClamAV CAB/RAR/ZIP vuln - update available
- http://www.securityfocus.com/bid/35426/info
Published: Jun 18 2009
Updated: Jun 19 2009
"... Versions prior to ClamAV 0.95.2 are vulnerable..."

- http://www.clamav.net/
"Latest ClamAV® stable release is: 0.95.2 ..."

- http://www.clamav.net/download/sources

[AplusWebMaster]

FYI...

McAfee false-positive glitch...
- http://www.theregister.co.uk/2009/07...sitive_glitch/
3 July 2009 22:48 GMT - "IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded BSOD. Details are still coming in, but forums here* and here** show that it's affecting McAfee customers in Germany, Italy, and elsewhere... Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664..."
* http://forums.mcafeehelp.com/showthread.php?p=569669
** http://forums.mcafeehelp.com/showthread.php?t=231904

- http://www.eweek.com/index2.php?opti...ge=0&hide_js=1
2009-07-06 - "... On July 3, McAfee users running old versions of the VirusScan engine found themselves facing false positives after downloading a DAT file that labeled legitimate programs as malware. According to McAfee support forums, the glitch led to authorized programs being quarantined, and in some cases brought about the infamous "blue screen of death"... A McAfee spokesperson said the incorrect identification was resolved in the daily release, and stressed that customers running the most current software were not affected... According to McAfee, customers running Version 5200 or newer were not impacted by the problem. The most current versions are VirusScan Enterprise 8.7 and scanning engine 5301... "

[AplusWebMaster]

FYI...

CA - false positive
- http://www.theregister.co.uk/2009/07...gue_av_update/
10 July 2009 - "... The update, issued on Wednesday, falsely labeled important Windows system files as potentially malign, dispatching them into quarantine. The action prevents Windows XP systems from booting properly... In a statement (below), CA said it issued a revised update on Thursday that resolved the problem.
'On July 8, 2009 at 11:00am EST, a CA DAT file release contained improperly formed malware detections that errantly detected clean files from Microsoft Windows Service Pack 3 and from the commercial Cygwin application. Affected files were detected as "Win32\Amalum" variants with extensions such as ZZNRA, ZZOFK, ZZNPB, and ZZNRA.
All files falsely detected as malware by these errant signatures were quarantined and renamed with the following text added to the file name "*.AVB". This prevented the affected files from running as the ".exe" file. It's important to note that the affected files remain fully intact, only the file extensions were modified.
On July 9, 2009 at 3:30am EST the file was corrected and released.' ..."

> http://preview.tinyurl.com/lyh5s9
Document ID: 3413 - Modify Date: Thursday, July 09, 2009 - "... false positive due to CA Anti-Virus Update # 6604 and has been corrected with CA Anti-Virus Update # 6606 or later..."

[AplusWebMaster]

FYI...

Kaspersky Anti-Virus / Kaspersky Internet Security 2010
Critical Fix 1 (version 9.0.0.463)
- http://www.kaspersky.com/technews?id=203038755
07.23.2009
"FIXES:
1. Problem with system instability after long period of program operation has been fixed.
2. Error causing BSOD while updating the emulator driver has been fixed.
3. Pop-up message in the URL checking module has been fixed (for the Spanish version).
4. Problem with pausing the scan task while third party programs are running in full-screen mode has been fixed.
5. Problem with the update task freezing at system startup has been fixed.
6. Vulnerability that allowed disabling of computer protection using an external script has been eliminated.
7. Driver crash in rare cases while processing a write operation has been fixed.
8. Crash while processing data incompliant with the protocol of Mail.Ru Agent has been fixed.
Download Here..."

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2009/08...i_virus_tests/
6 August 2009 - "Security vendors including CA and Symantec failed to secure Windows systems without fault in recent independent tests. Twelve of the 35 anti-virus products put through their paces by independent security certification body Virus Bulletin failed to make the grade for one reason or another and therefore failed to achieve the VB100 certification standard. The main faults were either a failure to detect a threat known to be in circulation (one particularly tricky polymorphic file infector caused the most grief in this area) or creating a false alarm about a file known to be benign. Virus Bulletin's VB100 tests benchmarks the performance of a vendor submitted anti-virus product against a set of malware from the WildList, a list of viruses known to be circulating. To gain VB100 certification, a security product must correctly detect all of these malware strains without blowing the whistle when scanning a batch of clean files. Vendors only get one run at passing the tests, which are conducted free of charge to security software manufacturers... The results of the August 2009 VB100 review can be seen here* (free registration required)... Virus Bulletin recently began assessing the reactive and proactive detection abilities of anti-virus products alongside the long-established VB100 tests. The new tests are a reflection that the malware landscape has changed radically over recent years, with greater malware volumes and targeted attacks... overall performance of security products in proactively detecting malware was "disappointingly low" in several cases (see chart here**). "We saw some particularly poor detection of emerging threats and the products in question have a lot of work to do if they are to provide acceptable protection for their customers...."

* http://www.virusbtn.com/vb100/archive/2009/08

** http://www.virusbtn.com/vb100/RAP/RA...-Feb-Aug09.jpg

[AplusWebMaster]

FYI...

Sophos SAVScan vuln - updates available
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-6904
Last revised: 08/07/2009
CVSS v2 Base Score: 10.0 (HIGH)

> http://www.sophos.com/support/knowle...cle/50611.html
"... The vulnerability has been removed from all versions of Sophos Anti-Virus running the virus engine, version 2.82.1 and above...
1. Check that you have the latest version of Sophos Anti-Virus on your computers.
2. If necessary update to ensure you have virus engine version 2.82.1 or above..."

[AplusWebMaster]

FYI...

CA false positives...
- http://www.dynamoo.com/blog/2009/08/...win32-and.html
12 August 2009 - "CA eTrust ITM has gone completely nuts today, with a load of seemingly random false positives mostly for StdWin32 in a large number of binaries, including some components of eTrust itself. The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components...
Update 2: Signature pattern 34.0.6674 appears to fix this problem..."

CA / ITM False Positive Notice
> http://www.ca.com/us/securityadvisor...spx?cid=214397
Published: 12 Aug 2009

> https://support.ca.com/irj/portal/an...ntentID=214394
___

- http://www.theregister.co.uk/2009/08...immune_update/
12 August 2009

- http://isc.sans.org/diary.html?storyid=6955
Last Updated: 2009-08-13 01:35:11 UTC