Endpoint Protection

 View Only

  • 1.  Detection of the virus Bloodhound.Exploit.193

    Posted Jul 29, 2010 04:14 AM
    Hi, guys! I have the following problem. SEP 11 has detected a virus on a workstation in our company. The signature of this virus (Bloodhound.Exploit.193) has not changed since 2008 (http://www.symantec.com/security_response/writeup.jsp?docid=2008-062316-3633-99). The file (swf file extension) is on this computer since January 2010. I checked the results of previous weekly scans. No viruses were detected. Why virus was detected six months later?


  • 2.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 02, 2010 11:48 AM

    Was the file recently modified? Did you recently change a folder from scanning exceptions?


  • 3.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 03, 2010 06:00 AM

    File not changed since January 2010. I have not set up exceptions (for workstations). 02/05/2010 directory with this file (yearsOf [1]. Swf) was copied from another workstation and stored as a backup. In the logs indicated that the weekly scan has been successful, but the 07/15/2010 in the file virus was detected.



  • 4.  RE: Detection of the virus Bloodhound.Exploit.193

    Broadcom Employee
    Posted Aug 03, 2010 07:37 AM
    Bloodhound.Exploit.193 is a heuristic detection for files attempting to exploit the Adobe Flash Player Multimedia File Remote Buffer Overflow. may be you need to updat teh Adobe flash player to latest version.

    Also this is heuristic scanning, if the application misbehaved at that time, it might have detcetd as threat.


  • 5.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 03, 2010 11:13 AM
    The computer was installed adobe flash player 10.0.45.2. This version of the player not vulnerable to "Adobe Flash Player Multimedia File Remote Buffer Overflow (BID 28695). An user does not work with this file since February 2010, in addition scanning during the lunch break. Problem: The file contained malicious code, known since 2008, but it was discovered late in the six months. I could understand if the signature has changed, for example 07/15/2010. But it has not changed since 2008.


  • 6.  RE: Detection of the virus Bloodhound.Exploit.193

    Broadcom Employee
    Posted Aug 03, 2010 11:32 AM
    could be Adobe other applications may have called the flash player.


  • 7.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 03, 2010 11:33 AM
    Did you recently change the Bloodhound level on your AV security settings?

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948


  • 8.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 04, 2010 03:02 AM
    Bloodhound heuristic level is default. However, this option applies to the File System Auto-Protect. Section Administrator-defined scan does not have options heuristic Level. The virus was detected during Full System Scan.


  • 9.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 04, 2010 09:19 AM
    Suppose that another application have called the flash player. But 6 months flash player starts a lot of times and a full system scan is run on a schedule every week. In addition, if the detection of the virus occurred during startup file, the logs would record Auto-Protect scan. But in my case, detection of the virus occurred during Scheduled scan.


  • 10.  RE: Detection of the virus Bloodhound.Exploit.193

    Posted Aug 04, 2010 09:24 AM
    Sometimes I need to do this. SEP can't get all of this. works nicely every time.