Didier Stevens

Tuesday 5 December 2006

Customized Anti-Virus alert messages

Filed under: Malware — Didier Stevens @ 21:04

Some anti-virus software has a feature to customize the alert message when a virus is detected. The administrator can use this feature to instruct the user to contact the help-desk.

But most of the time, you cannot customize the message to the extend that it changes according to the type of alert. For example, an alert in the Temporary Internet Files folder is generated when a user browses a malicious website with IE. You want the custom message to tell him to “get the hell out of there”, in a politically correct way.

I wrote a quick C# PoC program that monitors the event log for virus alerts and displays customized messages for the user. Monitoring the event log is really easy with .NET:

   EventLog myLog = new EventLog("Application");
   myLog.EntryWritten += new EntryWrittenEventHandler(OnEventAdded);
   myLog.EnableRaisingEvents = true;

The OnEventAdded function will be called each time an event is added to the Application event log.

   private void OnEventAdded(object source, EntryWrittenEventArgs e)
      if (e.Entry.Source == "Alert Manager Event Interface")
         Regex regexVirus = new Regex(@"VirusScan Enterprise\: The file (.+) is infected with the (.+)\. ");
         Match matchVirus = regexVirus.Match(e.Entry.Message);

         if (matchVirus.Success)
            String fileName = matchVirus.Groups[1].Value;
            String virusName = matchVirus.Groups[2].Value.Substring(0, matchVirus.Groups[2].Value.IndexOf(". "));
            // the rest of the code comes here

I test if the source is “Alert Manager Event Interface” (this is the case when you use McAfee VirusScan Enterprise), and then I parse the event message with regular expression to extract relevant data.

Example of a customized alert:


Example of a customized alert for IE:

PoC source code available here.

Sinterklaas kapoentje, leg wat in mijn schoentje…

Filed under: Certification — Didier Stevens @ 20:04

Robert Scoble blogged from Amsterdam about Sinterklaas.

From Wikipedia:

Sinterklaas in Dutch is a holiday tradition in the Netherlands and Belgium, celebrated every year on Saint Nicholas’ eve December 5 or, in Belgium, the morning of December 6.

Sinterklaas brings gifts for children who have been good.

I must have been a good boy this year, because (ISC)² e-mailed me they would print my CISSP certificate today. I’ll follow-up with a more detailed post.

Blog at WordPress.com.