Didier Stevens

Tuesday 5 December 2006

Customized Anti-Virus alert messages

Filed under: Malware — Didier Stevens @ 21:04

Some anti-virus software has a feature to customize the alert message when a virus is detected. The administrator can use this feature to instruct the user to contact the help-desk.

But most of the time, you cannot customize the message to the extend that it changes according to the type of alert. For example, an alert in the Temporary Internet Files folder is generated when a user browses a malicious website with IE. You want the custom message to tell him to “get the hell out of there”, in a politically correct way.

I wrote a quick C# PoC program that monitors the event log for virus alerts and displays customized messages for the user. Monitoring the event log is really easy with .NET:

   EventLog myLog = new EventLog("Application");
   myLog.EntryWritten += new EntryWrittenEventHandler(OnEventAdded);
   myLog.EnableRaisingEvents = true;

The OnEventAdded function will be called each time an event is added to the Application event log.

   private void OnEventAdded(object source, EntryWrittenEventArgs e)
   {
      if (e.Entry.Source == "Alert Manager Event Interface")
      {
         Regex regexVirus = new Regex(@"VirusScan Enterprise\: The file (.+) is infected with the (.+)\. ");
         Match matchVirus = regexVirus.Match(e.Entry.Message);

         if (matchVirus.Success)
         {
            String fileName = matchVirus.Groups[1].Value;
            String virusName = matchVirus.Groups[2].Value.Substring(0, matchVirus.Groups[2].Value.IndexOf(". "));
            // the rest of the code comes here
         }
      }
   }

I test if the source is “Alert Manager Event Interface” (this is the case when you use McAfee VirusScan Enterprise), and then I parse the event message with regular expression to extract relevant data.

Example of a customized alert:

alert1.PNG

Example of a customized alert for IE:
alert2.PNG

PoC source code available here.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: