La Piazza Blog - PANDA SECURITY SUPPORT

Posted by david, July 16, 2009

In the past few days, we have had reports from our customers regarding a notification from Windows Security Center (WSC) of Vista SP1 machines indicating that the Virus Protection is not compatible although the antivirus is actually working fine.

The guys from Microsoft’s Windows Security Center Team contacted us to inform that this isn’t the expected behavior and they are working hard to find a solution for this error.

On the other hand, we are currently developing an autofix (automatic hotfix) for our 2009 and 2010 products which will solve the problem by changing the way our products register against WSC. This autofix will be available through automatic updates during the next weeks.

The immediate solution is pretty easy, just navigate to Windows Update website and install Windows Vista’s Service Pack 2. Don’t you think it’s a good opportunity to update your system to Vista SP2? This update not only will solve this small problem but will also fix several security bugs.

Posted by Alvaro, July 10, 2009

Microsoft has publicly announced two new vulnerabilities in Internet Explorer:  

1 .Users get infected on clicking a link to a video

This vulnerability affects the Windows XP and Windows Server 2003 operating systems.

Workaround published by Microsoft

2. Exploit that causes a memory overflow

This exploit takes advantage of a Mpeg2tunerequest stack overflow vulnerability in the msvidctl.dll library. Upon exploitation, an attacker could gain the ability to take full control of a compromised system.

You can find information about this second vulnerability at http://www.microsoft.com/technet/security/advisory/971778.mspx

Microsoft has not publicly acknowledged this vulnerability yet, and so it hasn’t published any official solution.

So far, there is only the possibility of setting a kill bit for the vulnerable control. You can do so by saving this file with the extension .reg and running it as administrator:

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400

There is no information about the operating system versions affected by this exploit.

The following video explains how TruPrevent Technologies protect against this type of attack.

                       Sean-Paul Correll from Panda Security

Proactive protection against the msvidctl.dll ActiveX control vulnerability from Panda Security on Vimeo.

All our clients with Retail and/or Corporate products with TruPrevent Technologies enabled are protected against this exploit.

Remember PandaLabs blog, everything you need to know about Internet threats.

Hi all. I’m Juan S. Fernandez, part of the technical support department for Panda USA. This will be my first post and I want to blog about something that we often get asked for in support, at least recently: How to deal with Conficker.

From Panda’s perspective, the current variants of Conficker are properly identified and removed. But still, you may have Panda installed in your network, and still, Conficker seems to be showing up all over the place… Your computers keep reporting that are infected, network traffic is slow, your users have problems logging on as your Domain Controllers are saturated… And you wonder what is going on.

Typically, by the time we receive a call in support regarding a Conficker network infection the customer has already expent hours (some times, days) trying to eradicate Conficker from the network. Isolating computers where Panda detected the virus, running tool over tool, to find nothing or just a few left over registry keys… but the problem never goes away. What gives!

Well, I’m sorry, but you are wasting your time. You are concentrating on the wrong computers. Panda correctly detects and disinfects Conficker. Current versions of Conficker will not be allowed to run on a machine that has a working and updated Panda antivirus on it.

 So why are you seeing the detections? You need to understand the way that Conficker operates to know where to look for it: Conficker will utilize different paths of infection. The machine where Conficker is running will try to hit other machines on the same network, exploiting some Microsoft vulnerabilities (See MS08-67 here ) If the target machine hasn’t been patched, Conficker will be able to bypass your computer security and by impersonating an admin account, drop a file on the computer system32. It will also try to add a scheduled task to run those files, among other things (I’m a support guy, not a virus researcher… I’ll let them do the technical explanation)

So what is your Panda doing about it? Well, Panda is preventing the execution of the files, and giving you the detection. But we cannot “close the hole” on your Windows OS. That hole needs to be closed by applying the appropriate Windows Update. Which one? ALL of them!

Note where I said that Conficker will not run on a computer that has a working, and updated Panda Antivirus. That is actually they key to realizing what you need to do: Make sure that ALL your computers have working and updated Panda protections installed. And at the same time, make sure that all your computers have all needed Windows updates installed. But don’t stop just there. Go ahead and patch all your software too: from Adobe reader, to flash player, Real Player… or you may find yourself fighting other viruses another day.

So what should be your plan of action if you start receiving Conficker infections? Find the computers that are not complaining about it. Ignore the ones that complain. The computers that are infected with Conficker will not have working protection installed. Make sure that your Antivirus deployment is complete, and make sure that all your computers have Panda installed.

You only need 1 computer without protection and infected with Conficker to have the rest of your machines “defending” themselves constantly against it, generating distracting warnings. I had one instance where “a mayor network attack by Conficker”  prevented user log-ins for hours on a 600 user network, and it was caused by a single Laptop that somebody had brought from home… Which, of course, did not have Panda installed. Establish strict policies for external computers brought over to your network, perhaps create a separate wifi network to allow them access to the Internet, without compromising your own security.

For added protection, set your Panda Antivirus to scan all extensions, as Conficker will try to use non standard extensions to foul the protections. You may need to create some exclusions to ensure application estability (like the exclusions for your Exchange server…)

This is where products like Panda for Business or Panda Managed Office protection really show their value. They allow to monitor what is going on on your network. Who has protection, who does not, who got what virus detected… and quickly adjust your computer’s  protection settings if needed. Panda for Business will even tell you if you have any computers on the network that are not integrated, or with protections that cannot be managed. NetworkSecure can even remove from the network computers whose protection has been disabled, to reduce the risk to the rest of the network. Or prevent connections from computers on certain ip ranges. On large networks, it can be installed directly from a Group Policy, reducing the deployment time.

Panda Managed Office Protection allows you to monitor the protection status of your computers, no matter where they are in the world as long as they are connected to the internet. And you can do all that without investing on extra servers or databases.

I hope that this blog may help some of you get Conficker out of your network. And until the  next post.