[Dshield] FW: virus found in sent message "illegal..."

Al Reust areust at comcast.net
Wed Mar 10 04:11:46 GMT 2004


This is interesting, I apologize in that I should have stated that this 
particular machine was running Symantec Corporate 8.1 AV

It means that I should check to see if NSW 2003 will detect the same problem.

R/

At 01:41 PM 3/9/2004 -0500, you wrote:
>I can't remember ever getting an alert  from NAV 2003 while browsing in IE 
>6/5, but then I'm the zealot with his ActiveX/Java and a bunch of other 
>stuff turned off. Now while doing weekly scans, I've found & cleaned 
>things in the cache that never got rendered by the browser.
>
>One would think that NAV stands between the incoming data & IE, therefore 
>should be able to deny access to the file & remove it. Biggest surprise 
>years ago was when a sample of the1st IE exploit changed files on my 
>system & NAV at the time never raised any flags. Ever since then I've been 
>using dumbed down IE settings & custom security zones.
>
>Emptying the cache is good & bad: Good in that there aren't a huge number 
>of little files to be scanned. Bad in that if a site gave you an infected 
>file, you wouldn't know at all. When scanning from a boot CD, I always 
>clear the cache of suffer the potential hours of scanning temp Internet 
>files w/ HDD caching.
>
>Won't be trying NAV 2004 w/ it's activation nightmares here, almost not 
>even using 2003 after it crapped out a week before my subscription was to 
>expire and taking my network stack with it (symtdi) doing an uninstall.
>
>At 09:32 AM 3/9/2004, Peter Stendahl-Juvonen wrote:
>
>>Should the Auto-Protect feature of the antivirus SW not be able to
>>delete the contaminated temporary Internet file as soon as the user
>>closes the browser?
>>
>>At least that is how NAV2004 behaves when it detects and identifies the
>>threat as W32.Sobig.F at mm.enc.
>>
>>[File located at C:\Documents and Settings\UserName\Local
>>Settings\Temporary Internet Files\Content.IE5\G5ABKTY7\msg00002[1].htm.
>>Should be no problem deleting that file, should there?]
>>
>>Nevertheless, I second your recommendation about cleaning the Internet
>>cache and scanning the system for viruses post festum.
>>
>>Yet the system should be clean as soon as the antivirus SW's
>>Auto-Protect feature is able to delete the infected temporary Internet
>>file, i.e. when user exits the browser (unloads IE from RAM).
>
>Joshua MacCraw
>warpmedia at comcast.net
>http://mywebpages.comcast.net/jmaccraw
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list