Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM-2 vs Netsky.aa

Hello! My IDSM-2 (ver. 5.0.5 with latest signature updates) on Cat6513 (CatOS) doesn't catch Netsky.aa virus, while my antivirus software does... Why? How I can drop the Netsky.aa activity with IDSM?

Thanks in advance.

5 REPLIES
New Member

Re: IDSM-2 vs Netsky.aa

We do cover Netsky under signatures 3136-0 to 3136-11 however we do not cover the variant Netsky.aa. If you look at the overall risk rating for TREND for this virus it is low. We partner with trend to cover virus or worms at medium to high severity levels.

Hope that explains things.

New Member

Re: IDSM-2 vs Netsky.aa

Thanks for answer. Low TREND is very strange reason to pass viruses through. Is it a very hard work to add one Netsky.aa signature?

New Member

Re: IDSM-2 vs Netsky.aa

We did not decide to pass this vulnerability off due to the difficulty. We decide to write a signature based on the severity of a vulnerability hence we only cover medium to high severity.

New Member

Re: IDSM-2 vs Netsky.aa

Ok,ok... And what about these:

Email-Worm.Win32.NetSky.q

Email-Worm.Win32.Sober.y

Email-Worm.Win32.Bagle.dx

Email-Worm.Win32.NetSky.b

Email-Worm.Win32.Doombot.b

Net-Worm.Win32.Mytob.q

Net-Worm.Win32.Mytob.c

Net-Worm.Win32.Bobic.k

Email-Worm.Win32.Bagle.gen

Email-Worm.Win32.Bagle.bw

Do you plan to add all vir signatures to IDS?

Also, do you plan to release anti-spam filter for IDSM-2?

Kind regards.

Cisco Employee

Re: IDSM-2 vs Netsky.aa

Seeing as we partner with TrendMicro for virus and malware, we also happen to use their naming convention. I was able to cross reference some of the list you submitted, coverage as noted below.

That said, the IDS/IPS is a network intrusion sensor, not an antivirus solution. We provide coverage for viris/worms/malware that are fast breaking and pose significant risk to the end customer, but we do not cover every threat out there. For virus/worms/malware that are elevated to a High severity on TrendMicro's site, you'll see a signature on the IDS platform for it.

To my knowledge, there are no plans to incorporate anti-spam filtering on the IDS/IPS platforms at this time. Frankly, it doesn't make much sense to me to have your IDS filter for spam, but that's just my opinion.

Email-Worm.Win32.NetSky.q

3136-5 Netsky.Q pif

Email-Worm.Win32.Sober.y

Is known as WORM_SOBER.AG to TrendMicro and is covered by signature 3137-6

Email-Worm.Win32.Bagle.dx

Is known as WORM_BAGLE.BM to TrendMicro, rated as low, no signature.

Email-Worm.Win32.NetSky.b

We don not cover the B variant, but do cover the following: c,d,e,k,j,p,q,s,x,y,ab,z

Did a quick search on Trend's site, but didn't find a match to these:

Email-Worm.Win32.Doombot.b

Net-Worm.Win32.Mytob.q

Net-Worm.Win32.Mytob.c

Net-Worm.Win32.Bobic.k

Email-Worm.Win32.Bagle.gen

Email-Worm.Win32.Bagle.bw

158
Views
0
Helpful
5
Replies