Do we need test procedures in our companies before implementing Antivirus signatures?
by Manuel Humberto Santander Pelaez (Version: 1)
We have heard a couple of cases regarding problems caused my faulty antivirus signature files.Most recend that has a worldwide impact was the Microsoft Antivirus treating code from google webpage as virus. In 2010, Mcafee deployed DAT 5958 which identified svchost.exe as a virus, deleting it an causing loose of network access. In April 2011, Mcafee deployed DAT 6329, which caused disruption in SAP telephone connectivity functionality as it recognized spsgui.exe with virus. Also deployed DAT 6682, which caused system crash in GroupShield Exchange (MSME), GroupShield Domino, and McAfee Email Gateway.
Yesterday, we received report from reader John stating that computers with DAT 6807 installed got conectivity problems. Today Mcafee confirmed this to be a problem if you are using VSE 8.8.x and have DAT 6807 or 6808 installed. Their recommendation is to go straight to DAT6809.
Other antivirus programs like AVG also deploys faulty updates. Since these events are becoming a worrying trend, should we implement test procedures inside our organizations as we do with other updates like the ones deployed by Microsoft with Windows Update? Implementing a faulty update has a high risk to the organization and its solution consumes considerable time and substantial resources. I am considering implementing such procedure for my company.
Do you think it's necessary to implement such procedure in your company? Let us know!
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org
Comments
yvesk
Aug 20th 2012
1 decade ago
Brent
Aug 20th 2012
1 decade ago
Delaying deploying the new signatures also adds some amount of risk - your systems remain vulnerable to the latest defendable malware for longer. After all that extra work, your internal testing may not even catch an incompatibility that shows up in production. I imagine that many organizations' approaches to automatic updates (of any sort) are ad-hoc. The "right" option depends on many technical and non-technical needs of each organization.
anonymous
Aug 20th 2012
1 decade ago
Val
Aug 20th 2012
1 decade ago
This process delays the DAT update roll out by 18 hours giving us time to validate the DAT update and for McAfee to pull a bad DAT back prior to it's release to our Enterprise. This has saved us during the bad DAT times as noted in the original article. If there is an issue, we are usually only one or two DAT releases behind but catch up during the day.
Howie
Aug 20th 2012
1 decade ago
JJ
Aug 20th 2012
1 decade ago
Daniel
Aug 20th 2012
1 decade ago
Phil
Aug 21st 2012
1 decade ago
As most others have stated, doing a full, thorough round of testing for every single release would quickly find yourself getting increasingly behind real-time. At first you may be one behind the current release but eventually I think you'd find another newer current release would be out before you finished testing the first one and so on....
Matt
Aug 21st 2012
1 decade ago
Ryan
Aug 21st 2012
1 decade ago