Interception of web content by AV software (was Re: VML Patch for Win9x?) - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)



|
| http://www.proactiveservices.co.uk/research/nod32_imon1.png
| ...and then...
| http://www.proactiveservices.co.uk/research/nod32_imon2.png
|
| How's that! :-)
|
| Any anti-virus that cannot protect an Internet program from downloading
| malicious content should really look at the changing landscape of malware
| infection. Malware doesn't just arrive by email any more.


I don't see how the NOD32 warning message is any different from the McAfee
Enterprise log
event..

10/2/2006 10:53:48 AM Delete failed (Clean failed)  DLIPMAN-1\lipman
D:\temp\IE6\Temporary
Internet Files\Content.IE5\P2IV2015\testvml[1].htm Exploit-VMLFill (ED)


The other graphic shows that the web page was not accessed.  In this case, the
URL does show
thye content but, on truly malicious Exoploit pages I have seen McAfee block
access to the
malicious web page.

The question is does NOD32 TRULY intercept the web page at the Internet level or
acting any
differently than other AV software.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David H. Lipman wrote:
Quoted text here. Click to load it

That's caught the cache file. One would presume that if the browser has got
as far as caching a malicious page it may well have rendered it and the
malicious content executed.

The difference is that Firefox (in this case) never saw any malicious content.


Quoted text here. Click to load it

That was a malicious exploit page. The URL is only shown because I typed it
in and pressed Go :-)
There is no content in the URL, it is as it is.


Quoted text here. Click to load it

Surely the fact that Firefox rendered nothing proves this? I have watched
NOD32 eat exploit code before. There's no question about it: NOD32 is
capable of blocking malicious web site content before it can execute or be
rendered.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIS8g7uRVdtPsXDkRAjjrAJ4rG+hSu0lbTpQywcftNF09mU4mHgCePhoY
U1me2F7CT+wumAVi0oscEio=
=A7Yu
-----END PGP SIGNATURE-----

Re: Interception of web content by AV software (was Re: VML PatchforWin9x?)



|
| That's caught the cache file. One would presume that if the browser has got
| as far as caching a malicious page it may well have rendered it and the
| malicious content executed.


I thinks that's a faux presumsion.  I have been to many pages with Exploit code
with similar
logged events.  Never an infection.

10/6/2004 6:18:36 PM Deleted (Clean failed)  DLIPMAN-1\lipman
D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\css_menu[1].html\CSS_MENU[1] Exploit-CodeBase.gen


1/6/2005 5:54:27 PM Deleted  DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\FZ4HCZOS\mendel.home.comcast[1].htm Exploit-HelpZonePass


11/10/2005 9:17:50 PM Deleted  DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr000FY.htm Exploit-MhtRedir.gen


11/10/2005 10:50:45 PM Delete failed (Clean failed)  DLIPMAN-1\lipman
D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\sploit[1].anr Exploit-ANIfile


12/17/2005 1:04:45 AM Delete failed (Clean failed)  DLIPMAN-1\lipman
D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\index[1].php\INDEX[1] JS/Exploit-HelpXSite


12/30/2005 9:20:46 AM Delete failed (Clean failed)  DLIPMAN-1\lipman
D:\temp\IE6\Temporary
Internet Files\Content.IE5\Z0WFDAGD\wbk43F1.tmp Exploit-MIME.gen.c



|
| The difference is that Firefox (in this case) never saw any malicious content.
|
Quoted text here. Click to load it
|
| That was a malicious exploit page. The URL is only shown because I typed it
| in and pressed Go :-)
| There is no content in the URL, it is as it is.
|
Quoted text here. Click to load it
|
| Surely the fact that Firefox rendered nothing proves this? I have watched
| NOD32 eat exploit code before. There's no question about it: NOD32 is
| capable of blocking malicious web site content before it can execute or be
| rendered.

And that's the way of all AV software (well the way they are supposed to work).


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| PCR wrote:
|
| > What does it mean that McAfee will complain of
| > "testvml[1].htm.vir" when I click...
| >
| > http://www.isotf.org/zert/testvml.htm
| >
| > THEN, yea, it will quarantine or delete the *.vir, but
| > STILL I end up with a crashed IE. I haven't yet switched to
| > the Win2K .dll.
| >
| > (1) What is crashing me, if McAfee has quarantined the virus?
|
| Dave?  Can you answer that one?
|
| > (3) Or is this a diabolical plot of yours &/or of 98 Guy,
| >      who IS prominently mentioned at that site?
|
| No, no plot.

OK, then. Anyhow, none of the wording in your file, such as "If you can
see two colored boxes" shows up on my screen.

| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it.  Symantec was one of them.

McAfee does well too.

| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.

McAfee appears to trap it first. However, after I have chosen to delete
or move the file, IE will try to open the page & crash to the IE Report
Tool with an incredibly enormous report. Thus far, I have spared MS &
chosen to not send it!

| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.

Do you actually see the wording on your screen that you put into
TestVML.htm? If not, I suppose it did not execute.

| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



98 Guy wrote:
[....]

Quoted text here. Click to load it

fwiw, my W98SE partition has NAV2001 on it and with the latest definitions
(with or without the new dll) NAV instantly ''access denied'' stops the
page before it even loads and prompts it will not open the C:\WINDOWS\Local
Settings\Temporary Internet Files\Content.IE5234567\testvml[1].htm

After clicking through the AV prompt, with the old dll the browser
will kick up the send ms error report, but with the new dll in place the
page shows fine.

I haven't read the rest of the posts here but just wanted to mention
the above fwiw - seems it's being scanned and stopped before the
browser even has a chance to use it.

Rick


Quoted text here. Click to load it








Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

Rick Chauvin wrote:

Quoted text here. Click to load it

Interesting.  Glad to hear that NAV 2001 is still update-able.

Quoted text here. Click to load it

I don't think that NAV is stopping the page from loading.

What you're seeing is that the browser has crashed, and before the
message telling you that IE has crashed you are getting a message from
NAV telling you about the detection and quarantining of the .htm file.

When you dismiss the NAV messages, IE comes back to the foreground and
the OS handles the crash with an error report.

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



98 Guy wrote:
Quoted text here. Click to load it

Well yes in the sense that NAV halts everything in its tracks when it
detects the interest, and by saying okay to the prompt it lets it proceed
but just doesn't open the file listed and the page loads fine still.  The
page is not loaded beforehand however.  If it was imperative I
could prove it out one way or the other by detailing each step and
screenshot it all out to show exactly what happens with the original dll
and after the 2K swap, along with a before and after the NAV definition
update in both instances as well..  ..however you know it's not really that
important to do in this situation so I won't spend the time (which there is
little of) to digress on it further..

greetings to all

Rick




Quoted text here. Click to load it









Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
|
| 98 Guy wrote:
| [....]
|
| > I submitted "testvml[1].htm" to virus total and only a handful of AV
| > software flagged it.  Symantec was one of them.
| >
| > I went to a Win-98 system that I haven't patched with the new
version
| > of VGX.dll and verified that it crashes when viewing the above URL.
| > The NAV-2002 on that system was last updates Aug 28, so no it didn't
| > flag anything.
| >
| > I then updated NAV to Sept 27 or 28 then went to that URL again, and
| > again it crashes IE, but NAV catches and quarantines testvml[1].htm
| > while the crash message is still on the screen.
| >
| > So basically NAV (2002 version) is not capable of intercepting bad
WWW
| > content before IE handles it.
|
| fwiw, my W98SE partition has NAV2001 on it and with the latest
definitions
| (with or without the new dll) NAV instantly ''access denied'' stops
the
| page before it even loads and prompts it will not open the
C:\WINDOWS\Local
| Settings\Temporary Internet Files\Content.IE5234567\testvml[1].htm
|
| After clicking through the AV prompt, with the old dll the browser
| will kick up the send ms error report, but with the new dll in place
the
| page shows fine.

That appears to be what McAfee also does. Before the page shows &
crashed, I have the chance to delete or quarantine testvml[1].htm. So...
the Win2k .dll will prevent the crash. (I haven't taken it yet.)

But where is the vulnerability? In the virus file or in the crash of IE
or a combination of both? IOW, is the thing prevented by McAfee or by
the Win2k .dll? Is the crash flushing a buffer that the virus file
loaded?

| I haven't read the rest of the posts here but just wanted to mention
| the above fwiw - seems it's being scanned and stopped before the
| browser even has a chance to use it.
|
| Rick
|
|
| > Do we know if "modern" AV software intercepts and scans web content
| > BEFORE a browser sees it?
| >
| > Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| > current AV software?
|
|
|
|
|
|
|



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| |
| |
| | 98 Guy wrote:
| | [....]
| |
| | > I submitted "testvml[1].htm" to virus total and only a handful of =
AV
| | > software flagged it.  Symantec was one of them.
| | >
| | > I went to a Win-98 system that I haven't patched with the new
| version
| | > of VGX.dll and verified that it crashes when viewing the above =
URL.
| | > The NAV-2002 on that system was last updates Aug 28, so no it =
didn't
| | > flag anything.
| | >
| | > I then updated NAV to Sept 27 or 28 then went to that URL again, =
and
| | > again it crashes IE, but NAV catches and quarantines =
testvml[1].htm
| | > while the crash message is still on the screen.
| | >
| | > So basically NAV (2002 version) is not capable of intercepting bad
| WWW
| | > content before IE handles it.
| |
| | fwiw, my W98SE partition has NAV2001 on it and with the latest
| definitions
| | (with or without the new dll) NAV instantly ''access denied'' stops
| the
| | page before it even loads and prompts it will not open the
| C:\WINDOWS\Local
| | Settings\Temporary Internet =
Files\Content.IE5234567\testvml[1].htm
| |
| | After clicking through the AV prompt, with the old dll the browser
| | will kick up the send ms error report, but with the new dll in place
| the
| | page shows fine.
|=20
| That appears to be what McAfee also does. Before the page shows &
| crashed, I have the chance to delete or quarantine testvml[1].htm. =
So...
| the Win2k .dll will prevent the crash. (I haven't taken it yet.)
|=20
| But where is the vulnerability? In the virus file or in the crash of =
IE
| or a combination of both? IOW, is the thing prevented by McAfee or by
| the Win2k .dll? Is the crash flushing a buffer that the virus file
| loaded?

Reading that...
http://secunia.com/advisories/21989 /
.....Quote.........
Description:

A vulnerability has been discovered in Microsoft Windows, which can be =
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the Microsoft =
Vector Graphics Rendering(VML) library (vgx.dll) when processing certain =
content in Vector Markup Language (VML) documents. This can be exploited =
to cause a stack-based buffer overflow by e.g. tricking a user into =
viewing a malicious VML document containing an overly long "fill" method =
inside a "rect" tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the =
privileges of the application using the vulnerable functionality in the =
library.

NOTE: The vulnerability is currently being actively exploited.
......EOQ...........

...It does seems it's a combo of the virus file & the IE crash to flush =
a buffer. I'm still torn on whether I need to switch .dll's. But, I've =
retrieved it, & I guess I will switch soon to prevent the crash. But why =
is it crashing?


Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


< snip >

| ...It does seems it's a combo of the virus file & the IE crash to flush a
buffer. I'm
| still torn on whether I need to switch .dll's. But, I've retrieved it, & I
guess I will
| switch soon to prevent the crash. But why is it crashing?

What virus ?  This is Exploit code, not a virus !!!

It crash's becuase there is a bug in the code that causes a Buffer Overflow
condition.  It
is ibn this state that malware can take control of the system.

I have made it easy.  Here's my self installing unofficial patch...
http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
| < snip >
|
| | ...It does seems it's a combo of the virus file & the IE crash to
flush a buffer. I'm
| | still torn on whether I need to switch .dll's. But, I've retrieved
it, & I guess I will
| | switch soon to prevent the crash. But why is it crashing?
|
| What virus ?  This is Exploit code, not a virus !!!

I believe I have already said to you in another thread, McAfee's wording
is...

Download file:  G:\Temporary Internet
Trojan name:    Exploit.VMLFill
McAfee Shield:  Virus found in download file!

I get a choice to Continue, Delete, or Move. Choosing Move, I end up
with "testvml[1].htm.vir" in "G:\Infected". Hmm, now I see a .log there.
It contains just one line...
www.isotf.org => testvml[1].htm.vir

WELL, McAfee does give a choice of 3 what to call it, actually. I have
taken the .dll already as Bear said, with Winzip. Yet I haven't
installed it.

|
| It crash's becuase there is a bug in the code that causes a Buffer
Overflow condition.  It
| is ibn this state that malware can take control of the system.

So... does IE need the exploit file of 98 Guy to deliver the exploit? Is
the exploit file extraneous to the delivery of the exploit?

|
| I have made it easy.  Here's my self installing unofficial patch...
| http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



|>
|> What virus ?  This is Exploit code, not a virus !!!
|
| I believe I have already said to you in another thread, McAfee's wording
| is...
|
| Download file:  G:\Temporary Internet
| Trojan name:    Exploit.VMLFill
| McAfee Shield:  Virus found in download file!


Gee... three conflicts all in one message !

Trojan <> virus <> exploit

McAfee (or any other AV software for that matter) creates a default message and
then
concatenates what's found to the default message.

If you test the EICAR, see what it calls it !

I'll say it again, again...  There is NO virus, this is an Exploit Code.

The fact is if you are using the TEST URL http://www.isotf.org/zert/testvml.htm
there isn't
even a payload.  It just creates a Buffer Overflow condition.  McAfee is
flagging the Buffer
Overflow condition or the test for it (I can't which).

Here is is in FireFox... (No virus statement here in Enterprise v7.1)
10/4/2006 8:01:24 PM Deleted (Clean failed)  DLIPMAN-1\lipman
D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill

Here is is in Internet Explorer... (Again no virus statement here in Enterprise
v7.1)
10/4/2006 8:03:09 PM Deleted  DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill

Here is is in Opera... (Still no virus statement here in Enterprise v7.1)
10/4/2006 8:05:29 PM Deleted  DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill


So it is YOUR version generated this incorrect statement and this reatail
version was
discontinued YEARS ago.  PCR, I believe you are still using Retail VirusScan
v5.x.

One more time...

There is NO virus, this is purely Exploit Code and this URL has NO payload !


|
| WELL, McAfee does give a choice of 3 what to call it, actually. I have
| taken the .dll already as Bear said, with Winzip. Yet I haven't
| installed it.
|

My unoffcial patch will install the non-vulnerable version, unregister the
vulnerable
version, register the replacement DLL and fix the Registry.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

David H. Lipman wrote:
Quoted text here. Click to load it

PCR, listen to David.  I was mistaken as well when I thought it was a
virus.  It is an exploit code.  David knows what he is talking about and
I give him lots of credit for that.  He studies viruses and exploit
codes and stuff all the time.

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| David H. Lipman wrote:
| >
| >
| > |>
| > |> What virus ?  This is Exploit code, not a virus !!!
| > |
| > | I believe I have already said to you in another thread, McAfee's
wording
| > | is...
| > |
| > | Download file:  G:\Temporary Internet
| > | Trojan name:    Exploit.VMLFill
| > | McAfee Shield:  Virus found in download file!
| >
| >
| > Gee... three conflicts all in one message !
| >
| > Trojan <> virus <> exploit
| >
| > McAfee (or any other AV software for that matter) creates a default
message and then
| > concatenates what's found to the default message.
| >
| > If you test the EICAR, see what it calls it !
| >
| > I'll say it again, again...  There is NO virus, this is an Exploit
Code.
| >
| > The fact is if you are using the TEST URL
http://www.isotf.org/zert/testvml.htm there isn't
| > even a payload.  It just creates a Buffer Overflow condition.
McAfee is flagging the Buffer
| > Overflow condition or the test for it (I can't which).
| >
| > Here is is in FireFox... (No virus statement here in Enterprise
v7.1)
| > 10/4/2006 8:01:24 PM Deleted (Clean failed)  DLIPMAN-1\lipman
| > D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill
| >
| > Here is is in Internet Explorer... (Again no virus statement here in
Enterprise v7.1)
| > 10/4/2006 8:03:09 PM Deleted  DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet
| > Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill
| >
| > Here is is in Opera... (Still no virus statement here in Enterprise
v7.1)
| > 10/4/2006 8:05:29 PM Deleted  DLIPMAN-1\lipman C:\Program
| > Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill
| >
| >
| > So it is YOUR version generated this incorrect statement and this
reatail version was
| > discontinued YEARS ago.  PCR, I believe you are still using Retail
VirusScan v5.x.
| >
| > One more time...
| >
| > There is NO virus, this is purely Exploit Code and this URL has NO
payload !
| >
| >
| > |
| > | WELL, McAfee does give a choice of 3 what to call it, actually. I
have
| > | taken the .dll already as Bear said, with Winzip. Yet I haven't
| > | installed it.
| > |
| >
| > My unoffcial patch will install the non-vulnerable version,
unregister the vulnerable
| > version, register the replacement DLL and fix the Registry.
| >
| >
|
| PCR, listen to David.  I was mistaken as well when I thought it was a
| virus.  It is an exploit code.  David knows what he is talking about
and
| I give him lots of credit for that.  He studies viruses and exploit
| codes and stuff all the time.

McAfee gives me a choice of three! I'll have to try the Eicar tests...
http://www.eicar.org/anti_virus_test_file.htm
..., as he suggested. Oooo, it calls all 4 of those just a virus!
Therefore, it does seem McAfee can discriminate in it's error message--
& it's being generous what one may call this new thing!



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



|
| McAfee gives me a choice of three! I'll have to try the Eicar tests...
| http://www.eicar.org/anti_virus_test_file.htm
| ..., as he suggested. Oooo, it calls all 4 of those just a virus!
| Therefore, it does seem McAfee can discriminate in it's error message--
| & it's being generous what one may call this new thing!
|

McAfee Enterprise v7.1...

0/5/2006 6:09:59 PM Deleted (Clean failed because the file isn't cleanable)
DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\eicar[1].com
EICAR test file

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
|
| |
| | McAfee gives me a choice of three! I'll have to try the Eicar
tests...
| | http://www.eicar.org/anti_virus_test_file.htm
| | ..., as he suggested. Oooo, it calls all 4 of those just a virus!
| | Therefore, it does seem McAfee can discriminate in it's error
message--
| | & it's being generous what one may call this new thing!
| |
|
| McAfee Enterprise v7.1...
|
| 0/5/2006 6:09:59 PM Deleted (Clean failed because the file isn't
cleanable)
| DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\UJN91K6V\eicar[1].com
| EICAR test file

What are you trying to say? Can't it be quarantined, then?



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



|
| What are you trying to say? Can't it be quarantined, then?
|

I don't use a quarantine on my PC.

I am indicating that McAfee v7.1 Enterprise does NOT call this a "virus".  It is
your OLD
v5.x retail version that falsely mislabels with the term "virus".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
|
| |
| | What are you trying to say? Can't it be quarantined, then?
| |
|
| I don't use a quarantine on my PC.
|
| I am indicating that McAfee v7.1 Enterprise does NOT call this a
"virus".  It is your OLD
| v5.x retail version that falsely mislabels with the term "virus".

McAfee VirusScan v.5.21.1000 with Scan Engine v.4.3.20 gives me a choice
of three, I said...!...

.....Quote McAfee alert........
Download file:  G:\Temporary Internet
Trojan name:    Exploit.VMLFill
McAfee Shield:  Virus found in download file!
.....EOQ............................

BUT, fine, as I haven't the thing sneeze, it is possible McAfee was a
tad over-zealous. YET, it could be a trojan or an exploit, depending
upon what the particular malicious payload is set to do.



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
|
| |>
| |> What virus ?  This is Exploit code, not a virus !!!
| |
| | I believe I have already said to you in another thread, McAfee's
wording
| | is...
| |
| | Download file:  G:\Temporary Internet
| | Trojan name:    Exploit.VMLFill
| | McAfee Shield:  Virus found in download file!
|
|
| Gee... three conflicts all in one message !
|
| Trojan <> virus <> exploit
|
| McAfee (or any other AV software for that matter) creates a default
message and then
| concatenates what's found to the default message.
|
| If you test the EICAR, see what it calls it !

http://www.eicar.org/anti_virus_test_file.htm
It was the same format alert, BUT McAfee calls all 4 of those just a
virus!

| I'll say it again, again...  There is NO virus, this is an Exploit
Code.

You may do so. It's one of the 3 choices!

| The fact is if you are using the TEST URL
http://www.isotf.org/zert/testvml.htm there isn't
| even a payload.  It just creates a Buffer Overflow condition.  McAfee
is flagging the Buffer
| Overflow condition or the test for it (I can't which).

McAfee captures a file that the site attempts to put into my TIFs...
testvml[1].htm. It will delete or quarantine that file, renaming it...
testvml[1].htm.vir.
Then, apparently, the site continues to load a will crash to the IE
Error Report Tool. HOWEVER, now that I took the Win2k Vgx.dll, the crash
does not occur. I can only hope that's a good thing, since apparently
the site is one that wanted to poison me! It will be you, 98 Guy, Bear,
& Dan to blame, if not! And Chauvin!

I DO get to see "two colored boxes" on my screen now. But I thought that
was the wording in 98 Guy's bogus exploit/trojan/virus file,
testvml[1].htm! How can it be showing on my screen, IF I had McAfee
delete it ???

| Here is is in FireFox... (No virus statement here in Enterprise v7.1)
| 10/4/2006 8:01:24 PM Deleted (Clean failed)  DLIPMAN-1\lipman
| D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill
|
| Here is is in Internet Explorer... (Again no virus statement here in
Enterprise v7.1)
| 10/4/2006 8:03:09 PM Deleted  DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet
| Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill
|
| Here is is in Opera... (Still no virus statement here in Enterprise
v7.1)
| 10/4/2006 8:05:29 PM Deleted  DLIPMAN-1\lipman C:\Program
| Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill

McAfee gives me a choice of three what to call it!

|
| So it is YOUR version generated this incorrect statement and this
reatail version was
| discontinued YEARS ago.  PCR, I believe you are still using Retail
VirusScan v5.x.

McAfee VirusScan v.5.21.1000, Scan Engine v.4.3.20. I am doubly pleased
with it now, as this is the very first almost real virus it has caught
other than the ones at EICAR!

| One more time...
|
| There is NO virus, this is purely Exploit Code and this URL has NO
payload !

It may have no payload, that is right.

| |
| | WELL, McAfee does give a choice of 3 what to call it, actually. I
have
| | taken the .dll already as Bear said, with Winzip. Yet I haven't
| | installed it.
| |
|
| My unoffcial patch will install the non-vulnerable version, unregister
the vulnerable
| version, register the replacement DLL and fix the Registry.

It seems to be unnecessary to un/re-register it. And I was able like Dan
to do it in Windows, not DOS.

| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)



|
| It seems to be unnecessary to un/re-register it. And I was able like Dan
| to do it in Windows, not DOS.
|

It's a batch file silly !  :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline