Virus definition update on the F-Secure rescue CD

So, a co-worker from the office asked me to clean their personal laptop from one of those anti-virus application that install themselves and creates a bunch of pop-ups telling you you are infected. Obviously, I didn’t want to connect that machine to our corporate LAN, so I figured I should use a rescue CD of some sort that does AV scans. I was highly recommended to use F-Protect’s rescue CD for this type of malware in my SANS 504 course that I just took last week.

So, a co-worker from the office asked me to clean their personal laptop from one of those anti-virus application that install themselves and creates a bunch of pop-ups telling you you are infected.  Obviously, I didn’t want to connect that machine to our corporate LAN, so I figured I should use a rescue CD of some sort that does AV scans.  I was highly recommended to use F-Protect’s rescue CD for this type of malware in my SANS 504 course that I just took last week.

A quick Google search returned a very useful page from techmixer.com titled FREE Bootable AntiVirus Rescue CDs Download List.  This page lists seven freely available Antivirus rescue CD options.  So I downloaded the ISO for F-Protect and burned it to a CD.  Obviously, you want to make sure you are scanning with the latest virus definition update, but since the CD is a read-only media, you can’t update the virus definition on it.  The ISO contains a virus definition file from July 2009, but that’s way to old to be useful.  I tried to follow the instructions that were on the techmixer.com page about F-Protect to use the updates on a USB stick, but without success.  When all else fails, read the instructions.  😉

I downloaded the PDF manual from http://www.f-secure.com/linux-weblog/files/rescue_cd_user_guide.20090717.pdf and those instructions, unlike the ones on the techmixer.com ones, instructed to create a fsecurerescuecd folder on your USB stick.  That way, the virus definition gets expanded to the rescuecd folder as well as the results of the scan is saved in a reports folder.  The trick is to use a USB drive that has nothing else on it.  Why they had to do it that way, I’m not sure.  I wished that it wasn’t so because I would rather carry only one stick instead of dedicating one to having the F-Secure virus definition file.

For those of you who prefer bullets and get ‘er done, here is a step-by-step how-to:

  1. Download the ISO  from the F-Secure web site.  As of this writing, version 3.11 is current.
  2. Burn the ISO to a CD.
  3. Have a FAT formated USB thumb drive with nothing on it.
  4. Create a fsecure folder at the root of the drive.
  5. Create a rescuecd folder in the fsecure folder.
  6. Download the latest virus definition file from F-Secure from http://download.f-secure.com/latest/fsdbupdate9.run
  7. Copy the fsdbupdate9.run to the root of your USB drive.
  8. Plug-in the USB drive on the sick computer and then boot the rescue CD.

F-Secure picked-up that I had a USB drive connected and used the virus definition for the scan.  Simply follow the on-screen instructions and your computer will be cleaned up.

Adobe Reader is vulnerable yet again

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities. Here’s the low-down.

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.