eEye Digital Security

 Can you please open a support Ticket and upload the code that is not detected?

It sounds like this one can be done with FTP signatures which is a lot easier than having to release code.

lnicula:

 Can you please open a support Ticket and upload the code that is not detected?

 I have. 

lnicula:

It sounds like this one can be done with FTP signatures which is a lot easier than having to release code.

Gumblar is over 5 months old and that’s why I’m voicing my opinion publicly about eEyes failure to react. I know security exploits are almost out f control these days, but Old eEye would have been all over this one. "Don't take it as a diss, take it as an act of kindness, We wanna be in front while them fools is behind us" ~ Del

A proper solution might have been to:

#1 detect and block the upload of the code via FTP in modified html,htm,css,js,php and what ever else it infects.

#2 block outbound transmission of pages containing such code infected prior to FTP rules. Today Intelligent agents are still actively looking for exploited servers. Why? Image folders contain *.php files supplying anyone with IPs, FTP UIDs & PWDs used to infect the servers.

#3 detect the code in said files via file scanner offering to clean the infected code. Really its a simple find and replace.

More Info 

In closing, Big companies are depending on your talent to protect them. They were sold this idea from marketing you were an active security company.I can't say it enough, your IPS has been your strength for along time in Blink & its been neglected.  While I don’t trust any 1 “security” company, I know many who do and thats down right scaryif they rely on Blink alone. Really someone internal needs to bump some heads, get the trance flowing, and start the security party back-up! Trying to tackle that impossible feat security really is. Good luck to ya moving forward, & as always I will keep my EYE on you.

Thank you for your honest opinion. I wish more customers would be so open in expressing their opinions regarding their vendors.

In this case it does seem that we indeed missed some critical research info. Upon a summary inspection it would appear that the random nature of the probe would make signatures useless but I am afraid more in depth information regarding how Gumblar operates is required before saying if IPS would help or not. We are also taking steps to update the AV signature coverage for these scripts. It does appear that they are random but there must be a way to identify them.

I did notice the ticket you created and I will keep an eye on it. Thank you again for contacting us.

This thread might just be one of the scariest I've ever read. Norman AV? Seriously?

I find this especially disturbing because when you install Blink Personal it pops up a list of like 40 AV products warning people to remove them if they have them installed.

Yikes!

puresecure:

it pops up a list of like 40 AV products warning people to remove them if they have them installed.

     That is because most of these applications would conflict with Blink, because of all its different sublayers that are hooked into your system.  It would be like running a car into a cement wall, everything will come to a halt. 

Blue1978:

puresecure:

it pops up a list of like 40 AV products warning people to remove them if they have them installed.

     That is because most of these applications would conflict with Blink, because of all its different sublayers that are hooked into your system.  It would be like running a car into a cement wall, everything will come to a halt. 

Yeah, I realize that running multiple AV apps together is bad news. But you mention earlier that antivirus" is not what Blink was made for" -- so I think that a warning about having those apps installed sort of implies that Blink is an all-in-one solution. But when considering that the AV engine is Norman, may be a tad disingenuous.