To provide a practical example iof what I'm refering
to.
I currently use McAfee VirusScan Enterprise 7.1.
This
has the option of detecting potentially unwanted and
joke programs. This covers a variety of trojans,
spyware and adware.
Exploit-MhtRedir.gen (Trojan)
hxxp://xxxxxxxxxxxxxxxxxxx
VBS/Psyme (Trojan)
hxxp://xxxxxxxxxxxxxxxxxxxx
When I click on these links, McAfee VirusScan
Enterprise 7.1 detects the viruses.
Exploit-MhtRedir.gen results in a CHM (Microsoft
Compiled Help) file being written to the local
system
allowing for additional exploit code to then execute
the downloaded file. The end result is the
execution
of arbitrary code at the permission level of the
current user.
VBS/Psyme exploits an old vulnerability in Internet
Explorer. The vulnerability allows for the writing,
and overwriting, of local files by exploiting the
ADODB.Stream object. There are several variants of
this trojan. The trojan exists as VBScript. This
script contains instructions to download a remote
executable, save it to a specified location on the
local disk, and then execute it.
My desktop AV could detect these viruses. I would
expect a gateway AV solution to be able to do the
same.
Hmmmm. Do any of your users need to access active
web page forms of any
kind as part of their jobs? If so, how would you
distinguish a legitimate
Java or ActiveX or other widget that must write
data
to disk from a
malicious example of the same kind of technology?
I
That would involve a heuristic scan. However
signature based detection is very accurate. If anti
virus software can destinguish between malicious and
non-malicious EXE's it should be possible with other
application types.
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
