dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed

scottp99

join:2010-12-11
reply to dave

Re: Buffer Overflow blocked by AV, what should I do?

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do? I just want to compare the actions of a worm, trojan or virus and this is the way I usually do it:

* Disconnect the LAN cable
*Try cleaning or deleting the infected file with AV
*If that cleaning or deleting fails, then reformat the drive, or restore the OS image.

But I want to know if this can be done with a Buffer Overflow infection. But even though the AV has blocked it, is there any way to find out if it survived the restore of my OS image?

Thats all I want to know at this point.

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

I dont know, but this may be a "bug" in McAfee (the latest version), because I never had this from the older versions before.

Thanks.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Vonage
·Comcast Business..
·Cingular Wireless
said by scottp99:

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do?

I have not used a McAfee product in years, but in general when a security application tells me that it has detected something and that it "has been blocked", I assume that it indeed "has been blocked" (unless I see some indications that say otherwise).

Do you worry about your firewall reporting that unwanted incoming traffic "has been blocked", or are you just happy that it "has been blocked"?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


norwegian
Premium
join:2005-02-15
Outback
kudos:1
reply to scottp99
said by scottp99:

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

If the image is from before the detection, no, it will not have any affect on the image you restore from.

You could discuss if it has affected the MBR records, and whether the image you have includes MBR records or just the partition image, but as mentioned - it was blocked. Either as a real detection or a false positive. As IE and ntdll were mentioned, I'd be more worried about a false positive and file corruption before your concerns of the detection of malware. It can be just as dangerous to system integrity.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke