Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: McAfee/NAI rolls bad pattern SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
McAfee/NAI rolls bad pattern
NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products.  Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
  • How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
  • Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ?  Where exactly do these patterns come from ?  Is the previous pattern version available there as well ?
Daniel

373 Posts
ISC Handler
Mar 11th 2006

Sign Up for Free or Log In to start participating in the conversation!