eEye Digital Security

 I am running Blink Personal 4.3.2 1516 and recieved a message that Blink failed to disinfect a malware package.  Specificaly W32/Malware.GLXQ Does Anyone have any information on this malware?

Can you post your alert here?  Did it say anything about being detected in the "Sandbox"?  It looks like a piece of Malware that may have been detected by the Sandbox, which means there is no actual signature for it, however based on the file's content and actions it looks malicious.

Information on Norman's Sandbox technology can be found here:  http://www.norman.com/technology/norman_sandbox/the_solution/en-us

F-Secure (which uses Norman's Sandbox technology) has this general description on their site:

http://www.f-secure.com/v-descs/w32_malware.shtml

I would recommend setting your Malware settings to "Quarintine" as first choice and then "Log Only" as the second.  After that I would then have Blink do a manual in depth scan of your system again.

 Thank you Blue1978 for the info.

     Interesting, looks like since the system was using the file and had it locked, Norman was unable to grab it.  I would recommend the full manual scan (after you reboot your system, ensure your signatures are up to date, and then maybe clean your system with a program like CCleaner or something).  More than likey, once you reboot your system, that file will no longer exist ... unless it is persistent.

Blue1978,

That file being, a temp file was no longer available after reboot.  Full scan is coming clean and am running malwarebytes to see if it catches anything. Haven't used ccleaner yet since I'm not sure about registry cleaners....

What is interesting is that this alert was fired after another alert that said that the threat was found and quarantined already. 

If Blink finds the malware and my rule is first Quanrantine else Delete.  Then the file should be quarantined, if the quarantine was successful then there should be no additional alerts after quarantine action. If quarantine was unsuccessful then the file would be deleted, once again no reason for additional alert except to notify on the delete action or am I missing something? 

It bothers me that the program supposedly found a malware but could not disinfect it, now I am seeing the same malware hopping around and getting caught at different locations and am not sure if I mave a major infection or merely a wild goose chase.

Is there a way to check and make sure that Blink is the first app running after OS loads?

It would be nice to boot to cd and have blink run first with full scan. Has anyone worked with live cd to boot and have blink run in full scan on the hdd?

Pointers woud be appreciated....

Thanks,
Home

imhome:

Is there a way to check and make sure that Blink is the first app running after OS loads?

Yes, I asked the same thing to eEye through my support portal, please see my ticket below:

========================================================================

My Question:  "When does Blink start its protection upon entering Windows? The reason I ask is, I have my Windows XP set up to log me in via the "Classic Logon" screen mode. Once I log in with an account, the volume icon will show, then my add/remove hardware icon will appear, and then the Blink icon will show finally. At this point, if I click on Blink's icon it still says Blink's protection is enabling itself.  To me this seems like an awful long period of time for something malicious to have already patched itself within the Window's kernel. Is Blink already protecting before I log into Windows, or is this something that can be improved drastically? Me personally I would like to see Blink patching the kernel well before I am logging in. What is the case as far as this matter is concerned??"

eEye's Response: "Blink loads its drivers very early. This tool can be used to see the load order: http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx"
=========================================================================

imhome:

If Blink finds the malware and my rule is first Quanrantine else Delete.  Then the file should be quarantined, if the quarantine was successful then there should be no additional alerts after quarantine action. If quarantine was unsuccessful then the file would be deleted, once again no reason for additional alert except to notify on the delete action or am I missing something

True, but what if something was a false-positive and after deleting the item, a program or process, stopped working because of it?  To me it is better to Quarintine something and if you can't, atleast you can look into it further first before taking any further action.  Also if you wanted to make a copy of the file in question and have eEye submit it to Norman for further review (to see if it was a false-positive or if it needed to have a signature made for it) this would be difficult to do if it was deleted. :)

imhome:

What is interesting is that this alert was fired after another alert that said that the threat was found and quarantined already

Some Malware (from what I have gathered and noticed by playing with it intentionally in VMware) packages will download a number of temp files, .dll files (which are used to load library functions and such for the end program to use) first before final installation or execution is attempted.  These files are normally loaded into Memory temporarily (hence why it was sitting in the TEMP folder being used by the OS) and then once everything sets itself up, these files are used by the original package to carry out its end function.  If the package is otherwise caught first, these files may still be considered malicious, but without the initial package they are unable to be used for anything, so they sit.