MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
February
Sun Mon Tue Wed Thu Fri Sat
     
11
       
2006
Months
Feb


Sat, Feb 11, 2006 8:52 pm

PWS.Bancos.A (Password Stealer) False Positive

When I remotely logged into a user's system this morning to check an FTP transfer log on it prior to running a backup of the system, I saw Microsoft AntiSpyware's scan report indicated it had detected one item during its nightly scan of the system. The spyware it detected was "PWS.Bancos.A (Password Stealer)".

Item Details

PWS.Bancos.A

Type: Password Stealer
Threat Level: Severe

Description: A Trojan that captures or transmits passwords to an attacker.

Advice: Severe-risk tiems have an extreme potential for adverse effect, such as a security exploit, and should be removed.

When I looked at the registry key values detected, I saw they referred to "Intel\Landesk\VirusProtect6" (see Scan Results).

The Intel LANDesk software allows enterprises to manage client PCs1, so I thought this might be a false positive.

The spyware definitions on the system were version 5805 (2/11/2006 8:12:18 AM).

Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5805 (2/11/2006 8:12:18 AM)

After finding PWS.Bancos.A Password Stealer on the user's system, I checked the Microsoft Antispyware results from its early morning run on my wife's PC. I found the same report of PWS.Bancos.A being detected with references to the same registry entries. And a short time later, I received an email from the vice president of the company where I had found the first report of the problem. She had also found the same scan results when she came in to the office to work on her system.

After extensive searching for any postings regarding this detection, I did find an indication that it was a false positive in a February 10, 2006 posting at Siljaline's IE & Security Blog, where I found the following posted.

Definitions "5807" released to address a false-positive detection some essential components of several Symantec Corporate Antivirus versions are being identified as PWS.Banco.A

The 3 systems in question are all running Symantec AntiVirus Corporate Edition 8.0. I monitor the installation of programs on systems with Inctrl. Inctrl2 can record the file and registry changes that occur during software installation. Looking at an installation report for SAV 8.0, I found that the Software\Intel\Landesk registry keys were created during the installation of that software.

According to Trend Micro, the company was one of the original developers of the Intel LANDesk Virus Protect (LDVP) technology 3. But in 1998, Symantec purchased Intel Corporation's anti-virus business and also licensed Intel systems management technology which it combined with its own antivirus technology4.

Inside Microsoft Antispyware, I went to "File" and selected "Check Updates". Newer spyware definitions were downloaded and I then saw the version number listed as 5807 when I selected "Help" and "About Microsoft AntiSpyware".

Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5807 (2/11/2006 8:12:18 AM)

When I ran a full scan with those definitions nothing was detected. I updated the definitions on my wife's system and ran a scan of her system also. Likewise, this time nothing was detected.

For anyone who finds Microsoft AntiSpyware is reporting a false positive, Microsoft provides a False Positive Report Form.

Reference:

  1. LANDesk Management Suite 8.6
    Network America
  2. Stay in Control
    PC Magazine
    By Neil J. Rubenking
  3. Trend Micro Offers Free Upgrades And Support to Intel Landesk Virus Protect Customers Worldwide
    Trend Micro
    1998 Press Release
  4. Symantec buys Intel's Anti-Virus Business
    Symantec Corporation
    September 28, 1998
  5. MS Anti-Spyware Defs. "5807" now available
    Siljaline's IE & Security Blog
    Posted Friday, February 10, 2006 3:41 PM by siljaline
  6. Microsoft AntiSpyware False Positive Report Form
    Microsoft Corporation

[/security/spyware/MS-Antispyware] permanent link

Sat, Feb 11, 2006 3:46 pm

RTF Converter

If you need a utility to convert RTF files to HTML, you can use rtf-converter.

The program won't put in the <html>, <body>, etc. tags, so you will have to add those manually. I've also found it doesn't deal well with underlining in the RTF file and, though it will put in <br> tags for line breaks, it doesn't break the line at those spots in the output, so you'll have to do some editing to the resultant HTML output files. To put in line feeds, I use the following vi command to insert them after the <br> tags.

:1,$ s/<br>/<br>\r/g

You will need a C++ compiler to compile the source code into an executable file.

[/languages/c++] permanent link

Sat, Feb 11, 2006 12:36 pm

Passive Spam Block List (PSBL) Added

I added the Passive Spam Block List (PSBL) to the spam blacklists I employ on my email server. I now am using six different blacklists on the system to combat spam. The ones I'm now using are as follows:

Blitzed Open Proxy Monitor List
Open Relay Database
Composite Block List (CBL)
McFadden Associates E-Mail Blacklist
Spam and Open Relay Blocking System (SORBS)
Passive Spam Block List (PSBL)

To add the PSBL to the blacklists queried by sendmail, I added the following line to /etc/mail/sendmail.mc.

FEATURE(`dnsbl', `psbl.surriel.com', `"550 Mail from " $`'&{client_addr} " refused - see http://psbl.surriel.com/"')dnl

I then regenerated the sendmail.cf file from the sendmail.mc file and restarted sendmail with the commands below.

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
/etc/init.d/sendmail restart

[/network/email/spam/blocklists] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo