3 Replies Latest reply: Apr 17, 2013 8:10 AM by Attila Polinger RSS

    VSE 8.7 8.8 failing to detect Autorun worm


      Has anyone else seen VSE 8.7i or 8.8i failing to detect or partialy failing to detect w32.changeup W32/Autorun.worm.aaeh!gen ??


      I have two client machines one with 8.8 and one with 8.7 which quarantined 3 files marked as the above worm, but still have about 10 or more infected files on each machine.


      Norton (free trial!) immediately detected the additional files and removed - VSE 8.8 just sat there saying that "All was well, nothing detected ".


      both 8.7 and 8.8 were fully updated as of today (5400 engine and dats as of 16-04-2013). I started going through the sample submission process to submit to McAfee but it was so long winded i gave up in the end !!


      Capture.JPG Capture2.JPG

        • 1. Re: VSE 8.7 8.8 failing to detect Autorun worm
          Attila Polinger



          what I see in your first picture is that Norton has quarantined 4 files 3 of which were identically named (wonder if it is the same file).

          Further, two detections by Auto-Protect (that is OAS in their terminology) and one by SONAR heuristics. This could be just one file after all, could you confirm that? (no file paths are displayed)


          Also scope and strength of scan could be different I assume Norton has come with full armour whereas VirusScan config is unknown.


          The devil is in the details I can say, I have seen a Symantec endpoint protection management console showing "All is well" and green checkmark, while the criteria based on which it showed this were like this: do not alert until signatures are 30 days old, etc.



          • 2. Re: VSE 8.7 8.8 failing to detect Autorun worm

            OK fair point.

            McAfee 8.7 and 8.8 were both installed with default options. Both were set to scan for additional unwanted programs too. No exclusions were set. Buffer overflow, OAS, etc enabled as per defaults. both up to date.


            Norton was installed with defaults too - if you look at the image at the bottom right it shows 26 actions - actually quarantined 26 items all of which VSE had been manually pointed at to scan and reported clean.

            (yes there were multiple files with the same name).


            The meeniud.exe app was actually running rather than just being a flat file.

            • 3. Re: VSE 8.7 8.8 failing to detect Autorun worm
              Attila Polinger

              Well, defaults can be different for each products and may mean different strength after all: for example the level of heuristics.

              I think the recommended setting of heuristic sensitivity for VSE is Medium (please try setting this, and also try setting it even higher - until something happens - for single scans of those undetected files).


              Please also try an ODS with memory, registry and folder scanning (a folder in which such a problem file resides.) and heuristic settings as above.


              In addition, please submit such an - undetected - file to virustotal.com to see if the config of the McAfee engine there makes a difference.


              And please if possible patch up both Virusscans to the latest patch.