TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
> From: Adi Sakti > After installing Norton Anti Virus on which server sensor > v6.5 installed I > got > warning from NAV saying that it detects worm from file "evd000.enc". > Does anybody knows whether this is worm or NAV misdetect it as worm. > If this is not worm what is evd000.enc actually ? The "network IDS" component stores set of sniffer-compatible packet-capture files containing the packets that triggered the IDS. These are stored in a "round-robin" of tracefiles, if you don't copy them off somewhere, they will eventually be overwritten. You can use the following programs to read the packets within the file: * Sniffer(tm) Network Analyzer from NAI * NetMon from Microsoft (comes with Windows Server and SMS) * Ethereal (freeware open-source from www.ethereal.com) A common problem with anti-virus programs is that the patterns they choose for their "signatures" might match the patterns seen in the tracefiles. The files are not "infected" with the worm. What likely happened is that a worm attempted to infect your machine. The IDS triggered on this, and stored some packets related to the event into the evd000.enc tracefile. The tracefile contained the same pattern NAV was looking for. Some versions of CodeRed are contained in a single packet. This means the evd000.enc contains the entire CodeRed worm. From NAV's perspective, this isn't a misdetect: it is correctly finding a CodeRed worm. On the other hand, the file isn't "infected" with the worm; there is no vector for the worm to "leave" the file. From that perspective, it is a misdetect. Regards, Robert Graham Chief Architect, Internet Security Systems PS: I'm always interested in what people have in their "evidence" tracefiles. When people send them to me, I often spend my free time (e.g. when I'm on plains) looking over them, trying to see what I can do to reduce false-positives or extend signatures for new hacking techniques (the protocol-analysis technique often finds new styles of hacks).
