Previous entries
Next entries

December 31st, 2005

Anti-Virus Coverage for WMF Flaw Still Spotty

By Michael Santo
Contributing Writer, RealTechNews

It’s been a few days since the WMF (Windows Metafile) vulnerability was uncovered. Microsoft has released a workaround, but no patch yet. Hopefully you can count on your antivirus (AV) program, but not all of them cover all the variants.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

Alwil Software (Avast), Softwin (BitDefender), ClamAV, F-Secure Inc., Fortinet Inc., McAfee Inc., ESET (Nod32), Panda Software, Sophos Plc., Symantec Corp., Trend Micro Inc., VirusBuster

These products detected fewer variants: 62 — eTrust-VET, 62 — QuickHeal, 61 — AntiVir, 61 — Dr Web, 61 — Kaspersky, 60 — AVG, 19 — Command, 19 — F-Prot, 11 — Ewido, 7 — eSafe, 7 — eTrust-INO, 6 — Ikarus, 6 — VBA32, 0 — Norman

Source: eWeek

We Say: The “big 2″ (McAfee, Symantec) do fine, but it’s interesting that Kaspersky, generally thought of among alternative AV users as the best, only caught 61 of the variants. I’ve always picked an AV program with strong heuristics (detecting the virus by identifying the basic techniques of the exploit, rather than looking for specific signatures), as well as good signature support, so that I am protected even before the signature database is updated. My AV is not in the big 2 (and I don’t feel comfortable advertising it), but it is on the list above. Also, if you look at this AV-Test spreadsheet with regard to the MS05-039-based attacks from earlier in the year, you can also see which AVs reacted proactively (heuristically) to the threats (note that McAfee, Symantec, and Kaspersky didn’t proactively catch them, but my AV once again did). Don’t get me wrong; no AV is going to catch everything. Just make sure you have a good one and be careful out there (and that means both on the Web and out driving tonight. Happy New Year!).

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

5 comments to "Anti-Virus Coverage for WMF Flaw Still Spotty"

  1. MarcosV says:

    Makes me wonder how effective the antivirus program that’s part of Microsoft’s Windows One-Care free beta. I know far too many people who let their antivirus subscription laps or can’t afford it in the first place. Those are the type that would go for a free antivirus program like AVG or WOC.

    December 31st, 2005 at 3:50 pm

  2. Cheese Toast says:

    I’m glad to see my favorite, Avast! is one of the ones that spotted all 73. I have been a user of thier AV software for 2 years now and it still amazes me how often it they update the virus dat file. Sometimes as much as 4 times a day!

    chz

    January 1st, 2006 at 3:03 am

  3. Sabregen says:

    I’ve been nailed 2 times on my main machine by this bug in the last week. The internet gods do not like me, it would seem. I was running Norton AV 2003, fully updated (the second time) and it slipped right through. So much for covering all 73 variants. Perhaps there are more than 73, the rest remaining undetected, or newly released exploits. I hope M$ releases a patch soon for theis (read Tuesday). I dont want to make it 4 XP reloads in 1 week. I tried the following to clean it, both times, with no success:

    Norton AV 2003
    Bit Defender Online
    TrendMicro PC Housecall Online
    Spybot Search and Destroy
    Ad Aware SE
    Microsoft Anti-Spyware Beta
    Spysweeper

    Once it’s in, you’re screwed, as nothing seems to work successfully to remove it from the infected machine. This one’s a doosie.

    January 1st, 2006 at 9:02 am

  4. Michael Santo says:

    My guess is they tested the latest NAV, so that 73 variant coverage probably doesn’t apply to your version :-(

    January 1st, 2006 at 9:07 am

  5. Joe says:

    Well, it seems like it is an attempt to create a large botnet to me. I am now getting unusual processes running now.

    Something listed as mssearchnet.exe is now running in the process list!

    Norton av detects the trojan (zlob) but it says it failed to remove or repair it for some reason. And yes I ran NAV in safemode.

    Happy new year windows users time to reformatt again!

    P.s. Hope you burned your Sp2 disks before the virus got to you.

    January 3rd, 2006 at 2:02 pm

Leave a comment