Viruses are everywhere in this day. They slip past the defenses we put up, mess with our system, and even steal our information. Its a billion dollar black market for some, a set of hi-jinx for others.

For me, its a thorn in my side. 75 to 90 percent of the SMB calls I go on are for removing a virus/trojan from a PC or Laptop. Every time I get asked the same questions. How can we stop this, why did it get through, etc. Unfortunately, I don’t have a good answer for them.

I explain that tis a war. That virus writers are always a step ahead. Antivirus companies have to see the virus so they can stop it, and even that doesn’t always work.

The only way to be safe completely is to not use computers, cell phones, paper, ipads, and anything else that can hold a record. That isn’t going to happen. So I tell them to make sure updates are applied when they come out, and to be on the cautious side concerning web sites. Then a month or two later, I am back out to them removing another virus.

Back in March, Microsoft announced that Live One Care, a suite of security products, was going the way of the dinosaurs. Vendors such as Symantec and McAffe rejoiced that they didn’t have to go up against the 900 pound gorilla, and everything seemed to be fine with the world. Everything was back in its proper place.

That’s what you thought at least. In reality it has been leaked that Microsoft has been working on an AntiVirus program that will be free, and will be officially announced soon. Morro, as it is being called, is supposed to offer protection from viruses, spyware, trojans, and rootkits. It is also going to be free. Now it will supposedly only compete with software such as the low end offerings from the Major AV vendors, plus items such as the AVG free software out there. The real question is, how will this affect the AV companies, and is this going to be bundled with Windows 7.

Why bundle it with Windows 7? Well, the rumor is that it will be out of beta and on the market near the end of 2009. This puts it in the same time frame as the release of Windows 7 (Oct. 22, 2009). I figure it will come out as a High Priority Update a month after Windows 7 is launched, to try and circumvent the antitrust issues bundling Morro with Windows 7 would cause.

Try as the might though, if Microsoft ties Morro in anyway into Windows there will be antitrust allegations. Honestly, we have seen this sort of behaviour from Microsoft in the past, when it went head to head with Netscape back in the 90′s. Just look at all the lawsuits from that. The difference is that the AV/Security companies do have a lot more resources available to fight Microsoft in the courts.

My big question is this, why must a company such as Microsoft try to be everything? Can’t they learn to focus on the OS and other current offerings without getting into another software area? Add on that you can bet Morro will be heavily targeted by the underworld on the Internet, just because it is Microsoft.

This is something to keep your eyes on.

It is being reported that Symantec is coming out with a new SMB version of Endpoint Protection. Pardon me if I don’t start jumping for joy.

I do install a lot of Symantec for clients, and I have dealt with their current Endpoint SMB solution. It does work, but at a very high cost. The management system in it is anything but intuitive, adding desktops to the management console and managing them through the console is not simple. The database for the Management system continuously grows to the point where I have had to make sure it is installed only on a data drive, and not to install the Endpoint Manager on an OS partition.

Other odd things I’ve run across is the way it comes out of the box, you need to go in and tell it not to scan your backup drive, especially if it is an SSD drive. I’ve had many issues with Symantec’s own BackupExec because the drive is in use due to Endpoint scanning it all. Then there is the firewall and the way on a server it starts blocking ports that you tell it to leave open. Some software packages do use special ports for legitimate communication purposes. As far as support goes, don’t get me started on the poor support resources Symantec has for all of its products.

Since Endpoint now does allow back reving to the older 10.2 AV solution, I tend to put 10.2 on because it causes less problems.  Less overhead, easier to manage, and it just works.

I know I’ll wind up having to deal with the new version, I just hope that the upcoming beta testing is open so I can place it on my test box and see whether it is worth it, or should I start recommending a different SMB solution. I know that my clients need the protection one way or another.

This week the big RSA Security Conference is going on in San Francisco. For those that don’t know what it is I suggest taking a look a the conference website to get more info overall.

There have been some interesting Keynote addresses that I plan on checking out online when I have time, but in the spirit of time I came across an interesting announcement from Symantec.

Symantec has acquired Security Vendor MI5, and this could be both good and bad. MI5 makes appliances that do some of the things that say a Barracuda appliance does, Web Security and the like. Symantec on the other hand, was once one of the best AV companies out there. I say once, because I know a lot of people had gotten turned off by their more recent offerings.

Now I am not going to bash Symantec’s AV stuff, especially considering that with their new CEO, they seem to be working on making their product better. I’m hearing reports that the new versions of their AV and Endpoint products are less resource intense, and work much better. Plus they are bringing back the Norton Utility line to where it should have always been.

What has me worried about them acquiring MI5 and assimilating it, is what has happened with BackupExec. When Symantec bought Veritas and got its hands on BE, it seemed like it could be a good thing. Unfortunately, BE has basically stagnated under Symantec’s rule, the online support for the latest versions is almost non-existent, and they have yet to make it to handle removable SSD (solid state drives) in an easy fashion. I hope to god that they don’t do the same sort of thing with MI5.

So it seems that we have a real nasty couple of viruses (virii?) that came out in the last couple of weeks. The Virut.CE and Virux viruses are two of the worst viruses I’ve seen in a long time.

You see, I spent the better part of evenings in the last week trying to remove the virut.ce one from a friends laptop. The issue is that, even if you clean it completely off, you will need to do a repair install of Windows and reinstall every other program on the machine. Why you ask?

1) It adds code into normal executables. I’m talking explorer.exe, svchost.exe, and any other .exe file it can find.

2) It destroys the Software hive of the registry. This alone means you would need to restore it from the repair directory. Unless you have a recent backup of the hive safely off the machine, you loose just about any registry keys from software on your machine and have to reinstall them

3) It keeps coming back. Every tool from Kapersky to Malewarebytes winds up finding it, trying to remove it, and yet it still comes back.

4) Initially it prevents access to task manager and explorer. This is partially because of the Registry infestation.

5) It hits flash/external usb drives. If there are executables on your external or flash drives, you are screwed. scan them and if its on them, format them.

6) It Will spread over your network! If a machine is infected with these monsters, unplug its network connection immediately. It will infect network shares and spread across your network.

It is a pain to wipe and reinstall systems, I know, but there are a few things you can do to make it a little bit easier.

1) Use a boot CD and a clean external drive. Booting off a Linux or Windows boot cd (BartPE, ERD Commander) You can at least transfer documents to an external drive. Booting off the CD also means you won’t be activating the virus, so you are safe plugging and external in.

2) Format the drive and delete the partitions using the Boot CD. This helps insure that you don’t have it sitting in memory, and that the drives are clean. I recommend formatting the drives first, then wipe the partitions, then go ahead with the reinstall.

3) Remove all power from the machine for 5 minutes before starting the reinstall. This makes sure your memory has been cleared out.

I don’t know what joy people get from writing such destructive things. I do know that while its not really celanable, the latest virus definitions for your antivirus will stop it before it starts, which hopefully will help mitigate it. Also it seems that it comes through html intially, which means any site could unknowingly be hosting it.

The Virus itself opens a back door to an IRC network, where your machine will be loaded with all other sorts of nasties. And so you all know, my friends machine initially was taken down by this monster within 5 minutes of being infected. Yes, totally infected and downed inside of 5 minutes!

Hopefully you don’t have to deal with this for a friend, let alone a client network.