7 Replies Latest reply on Nov 8, 2013 8:49 AM by Philip Niegos

    Flame malware

    Devin Patel Lurker

      Hi,

       

      Is there a QID to detect recently discovered Flame malware? if not, will there be one?

       

      -Dave

        • Flame malware
          Robert Dell'Immagine Level 5

          Moved to VM area for better visibility.

          • Flame malware
            Tim Pettigrew Level 1

            I opened a ticket the other day to ask the same question.  The reply I received said "Qualys is staying clear of worms or other malware detections in Vuylnerability Management as a product decision."

             

             

            -Tim

            • Flame malware
              Craig Kagawa Level 3

              Hi Devin,

               

              The Flame malware appears to be leveraging two older Microsoft vulnerabilities that were patched back in 2010. 

              (Microsoft Security Bulletin’s MS10-046 and MS10-061). You can verify with QualysGuard that you do not have these unpatched vulnerabilities which Flame has been known to use.

               

              QID 90616 "Microsoft Windows Shell Remote Code Execution Vulnerability (MS10-046 and KB2286198)"

              QID 90636 "Microsoft Windows Print Spooler Remote Code Execution Vulnerability (MS10-061)"

               

              The following QIDs can also be helpful too.

              QID 105294 "Antivirus Product Not Detected on the Windows Host"

              QID 105336 "Firewall Product Not Detected on Windows Host"

               

              To help assist to detect the Flame malware, please ensure your QualysGuard scanner is at Vulnerability Signatures version: 2.2.139-2 or higher and use QID 1244 "Win32.Flame Detected".

               

              If you need further assistance please don't hesitate to contact Support.

               

              -Craig

                • Flame malware
                  Robert Dell'Immagine Level 5

                  Regarding these two QIDs:

                  QID 105294 "Antivirus Product Not Detected on the Windows Host"

                  QID 105327 "Antivirus Product Detected on the Windows Host"

                   

                  They both currently detect these AV products:

                  AVG Antivirus

                  CA eTrust Antivirus

                  F-Secure Antivirus

                  Kaspersky Antivirus

                  McAfee Antivirus

                  Network Associates Antivirus

                  Sophos Antivirus Scanner

                  Symantec Norton Antivirus Corporate Edition

                  Symantec Norton Antivirus Personal Edition

                  Symantec Endpoint Protection

                  TrendMicro Antivirus

                  ESET Antivirus Scanner

                  Microsoft Windows Defender

                  Clam Antivirus

                   

                  Checks for additional AV products can be added if customers request them.

                    • Flame malware
                      Philip Niegos Level 2

                      One Additional Note:

                       

                      The QualysGuard Vulnerability Management Application does contain detections for many different types of malware.

                       

                      To find there associated QIDs, simply use the KnowledgeBase Search tool, and select the Category drop-down option called "Backdoors and Trojan Horses".

                       

                      Additionally, the QualysGuard Malware Detections Service (MDS) is now a standard component in QualysGuard WAS v3 and greater.  MDS use both signature-based and advanced "behavioral" detection techniques to identify malware on EXTERNAL facing Web Applications and Web sites.

                  • Flame malware
                    Philip Niegos Level 2

                    Devin,

                     

                    QID 1244 - Win32.Flame Detected