in

eEye Digital Security

The endpoint to vulnerability starts here.

 
eEye Digital Security » Blink Forums » Troubleshooting » Scanner Not Working Properly

Scanner Not Working Properly

Last post 11-17-2008 6:19 PM by Blue1978. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next

  • 11-01-2008 5:03 PM

    Scanner Not Working Properly

    Reply Contact

        I tested my Blink virus protection recently by downloading a test virus from finjan.com. I also have my on access scan to scan archive files at level 1. Now I use Mozilla firefox, so when clicking to download the file, Blink alerts me that I have a virus, but the file still gets downloaded. As far as I am aware Blink alerts and quarantines the file immediately when using Internet Explorer.

    The real problem is that when I do right click to scan the file, Blink tells me that the action failed. I tried to quarantine it manually, but that still failed. However when closing the box, the file does get put into quarantine. I just thought I'd report these errors.
    Filed under: ,

  • 11-17-2008 7:33 AM In reply to

    Re: Scanner Not Working Properly

    Reply Contact

    The file that is downloaded in Firefox, what is the size of it?  Is it a normal size, or something like 2kb?  I have noticed Blink will strip the file if it is malicious, but nothing will be left of it to run or execute if it is malicious.  I don't know why or if this is right, but I have noticed that when using Firefox.  The only reason I can think of Blink grabbing malicious files in IE (quicker before they hit your desktop) is because of IE's plugin Blink has built into it to detect exploits better.

    http://forums.eeye.com/forums/p/739/3163.aspx#3163

  • 11-17-2008 4:51 PM In reply to

    Re: Scanner Not Working Properly

    Reply Contact

    This is where I get the file.

    http://www.finjan.com/Content.aspx?id=577

    And the size is 184 bytes. Now after downloading the file, there was an error in quarantining it, but when I right clicked to see the size of the file, I was notified again, and it looks like Blink quarantined it.

  • 11-17-2008 5:06 PM In reply to

    Re: Scanner Not Working Properly

    Reply Contact

    We are aware of an issue with Firefox and that particular file partly caused by how the test file is treated by Blink. This issue will be fixed in one of the future releases.

    Thank you for reporting this issue!

    Regards
    Laurentiu Nicula

  • 11-17-2008 6:19 PM In reply to

    Re: Scanner Not Working Properly

    Reply Contact

    lnicula:
    We are aware of an issue with Firefox and that particular file partly caused by how the test file is treated by Blink. This issue will be fixed in one of the future releases.

    Nicula,

         Does this concept kind of go hand in hand with what was posted here at Sunbelt about making Notepad.exe a malicious file?

    http://sunbeltblog.blogspot.com/2008_09_01_archive.html

    Quoted:

    Sunday, September 07, 2008

    How to make notepad.exe a malicious file

    As is well known, malware authors routinely use packers (aka “protectors) to disguise their files (as well as decrease their file size).

    A number of AV products simply blacklist anything that’s packed, thus not having to bother with emulating the executable and finding out what’s really inside. (Like many AV companies, we do this for some obvious malware packers ourselves, but it has to be done with an extensive in-house whitelist to verify that you’re not going to get false positives.)

    Just as a curious experiment, I recently packed notepad.exe into a variety of packer formats and submitted them to VirusTotal. (I’m not the first to do this exercise, either — a similar exercise was by shown by VirusBuster at CARO in May.)

    This is a miniscule sample, but it allows you to see the various levels of aggressiveness on detecting packers by AV engines. It also shows why some engines have incredibly high detection rates on VirusTotal.

    Notepad.exe packed with MEW (packing with FSG will likely show similar results as well).

    Notepad.exe packed with UPX (UPX is the most common packer, used for many legitimate applications — it’s a very dangerous packer to blacklist, since false positives will be through the roof.)

    Notepad.exe packed with PEspin

    Notepad.exe packed with PECompact

    In the end, blacklisting packers is going to be old news, because malware authors have changed and are now doing all kinds of exotic custom packing –– and in many cases, not packing at all.
Page 1 of 1 (5 items)
© 1995 - 2009 eEye Incorporated