Switch to full style
Forum for support for the Kaspersky AntiVirus for WinGate plugin
Post a reply

Netsky P Worm getting through

Oct 20 04 3:12 pm

We are using Wingate 6.0.3 with the the Kaspersky AV plugin. This seems to work very well in general. The network uses Symantec AntiVirus Corporate 8.1. There is one virus that appears to get through Kaspersky. Symantec classifies this viruys as W32.Netsky.P@mm. Other AV manufacturers classify it with the words W32 Kaspersky P Worm. I cannot find it on Kasperky's site, so I do not know they classify it.

This virus has made it through to a few clients on the network, so I enabled SAV to scan the mail directories yesterday. I found that SAV had quarentined seven instances of this virus. The virus is detected as W32.Netsky.P@mm!enc by SAV as it is detected in the message file. I am not sure if the Kaspersky AV detects this later. I suspect it does as just a few instances of the virus have gotten through.

This is not a new virus, so I would think this would have been addressed long ago if it were a real problem. I anticiopate that the problem on our system comes from some unwanted interaction between SAV and Kaspersky. Would that be a good assumption?

Kindest Regards,

Bob Tucker

Oct 20 04 3:27 pm

Hi Bob,

Which scanning options do you have enabled for the AV plugin? This is the list for:

    Check packed files
    Check archives
    Check e-mail databases
    Check plain e-mail
    Scan for possible virus signatures or dangerous code
    Scan broken exe, zip, etc. files


Also, do you have Custom Overrides for the Engine response codes defined? If your "Action to take" is set to "Custom"; then you most likely do.


These are the NetSky worms KAV recognises (With the AV definitions of 8 October 2004)

[I-Worm.NetSky.a]
[I-Worm.NetSky.aa]
[I-Worm.NetSky.ab]
[I-Worm.NetSky.ac]
[I-Worm.NetSky.ad]
[I-Worm.NetSky.ae]
[I-Worm.NetSky.b]
[I-Worm.NetSky.c]
[I-Worm.NetSky.d]
[I-Worm.NetSky.e]
[I-Worm.NetSky.f]
[I-Worm.NetSky.g]
[I-Worm.NetSky.h]
[I-Worm.NetSky.i]
[I-Worm.NetSky.j]
[I-Worm.NetSky.k]
[I-Worm.NetSky.l]
[I-Worm.NetSky.m]
[I-Worm.NetSky.n]
[I-Worm.NetSky.o]
[I-Worm.NetSky.p]
[I-Worm.NetSky.q]
[I-Worm.NetSky.r]
[I-Worm.NetSky.s]
[I-Worm.NetSky.t]
[I-Worm.NetSky.u]
[I-Worm.NetSky.v]
[I-Worm.NetSky.w]
[I-Worm.NetSky.x]
[I-Worm.NetSky.y]
[I-Worm.NetSky.z]

Oct 20 04 6:02 pm

Dear Oascal,

Thank you very much for your quick response. Under "Actions to take", I have "Discard File" selected. I have all scanning options checked, so it should be looking at everything.

I found three more instance of this virus on this virus quarantiened by SAV. (From your email, I believe that I-Worm.Netsky.P would be the correct Kaspersky classification.) No other variatons of this virus are getting through.

I am very reluctant to allow SAV to scan incoming message files as Adrien indicates this may cause difficulties with email, and I do not want that to happen. Thereofre, I would like to find a resolution for this in the not-too-distant future. Are the settings that I am using the most apprpropriate settings?

Kindest Regards,

Bob Tucker

Oct 20 04 6:14 pm

Hi Bob,

That sounds like the correct options; although the last options (Scan broken exe, etc.) is generally not recommended; as it slows scanning down tremendously. (See reference from Kaspersky SDK below)

KAV SDK wrote:KAV_O_M_CA (Scan for possible virus signatures or dangerous code)
To use the heuristic analyzer of a code, for searches of unknown viruses. It is recommended to use.
KAV_O_M_REDUNDANT (Scan broken exe, zip, etc. files)
To use redundant scanning, for search of viruses in the damaged and spoiled files. Slows down process of scanning many times over. It is not recommended to use.


The first thing I'd suggest would be to take one of the files Quarantined by SAV and scan it using the Quick-Scan option from the plugin in GateKeeper. This is simply for us to see if the AV scanner + database is capable of picking up that virus. If it isn't, I would like a copy of one of those emails, please (If it contains no confidential / priv. information).

If it is; then something is causing certain messages to slip through. That would be interesting; I haven't seen that happen before. I'm wondering if it could perhaps be related to some of the problems you are discussing with Adrien; but let's first see if the Quick-Scan option picks up on them.

You can also go to www.viruslist.com to check which viri Kaspersky will check.

Oct 20 04 7:40 pm

Dear Pascal,

I did as you suggested.

I completely removed SAV from the system and restored the infected msg files. I then did a quick scan on them with the KAV plugin. The Kaspersky AV Plugin detects a virus in each case - which it classifies as I-worm.netsky.q. Even though virusues were detected in each file, the msg files were not discarded. The status of each file is "not cleaned" in quick scan. The files were left in place. I did a reinstall of the plugin and got the same results.

I reinstalled SAV. The viruses were immeadiately detected and the msg files quarantined by SAV.

I unchecked the box to Scan broken exe, zip, etc. files in KAV. I disabled real-time scanning in SAV, restored the files, and did a quick scan with the KAV plugin. The results are the same as I reported above. The viruses in the infected files are detected, but the infected files are not discarded. The status of each is "not cleaned."

Kindest Regards,

Bob Tucker

Oct 20 04 7:52 pm

Hi Bob,

The quick scan case won't quarantine and cleaning of an infected file is not very common. However, I'm worried that those files managed to get through WinGate.

Do they contain any confidential information? It would help to be able to step through a scan of one of those files in a debugger.

Regards,

Oct 20 04 7:55 pm

Dear Pascal,

I checked again and found that the reason the infected files were not dlted was that I had not configured Quick Scan. I then configured Quick Scan in the identically tio the plugin, removed SAV, restored the infected files, and scanned the infected files using Quick Scan. The infected files were deleted. KAV should delete the files. I have left SAV off the system. I am hopeful that some action of SAV caused Kthe KAV plugin not to properly handle files infected with this particular virus.

Kindest Regards,

Bob Tucker

Oct 20 04 11:24 pm

Dear Pascal,

Thank you for your response. The messages containing viruses have no confidential information. So far as I know, they are your garden-variety Netsky Worm messages. I am certainly concerned that they got through. However, if this were other than a system configuration problem, a lot of people would be reporting it. Therefore, I believe that the odds are that I shot myself in the fooot somewhere along the line. I suspect that SAV and KAV may interact in some way. AV programs by nature are very intrusive.

I would be happy to ship these messsages off to you. I did not delete the SAV quarantine for that reason. There are five such msg files there. I can zip them up and send them should you want to look at them.

Kindest Regards,

Bob Tucker

Oct 20 04 11:53 pm

Hi Bob,

If you could zip and send them off to me that would be awesome. If you password protect the archive (password = password) then there's a larger chance they get through the various scanners inbetween.

If only for my peace of mind, I'm working on the next release of KAV at the moment and would like to be sure that it's a good one.

Oct 21 04 4:55 pm

Dear Pascal,

I am sorry. I did deltete the infected messages. I reconfigured Quick Scan with the same parameters as the AV plugin. The infected messages were detected and deleted. Since I removed SAV from the system, I have notfound any Netsky Worms getting through to user workstations. I will continue with this configuration for some time to be sure nothing is getting through. If this works, I will reinstall SAV and exclude only Postin and Incoming per Adrien's suggestion unless you specify something else. Again, I apologize. I had forgotten I had successfully deleted the infected messages.

Kindest Regards,

Bob Tucker
Post a reply