 W32.Nimda.A@mm
| Discovered on: September 18, 2001 | | Last Updated on: April 16, 2002 at 05:21:25 AM PDT |
Symantec has not seen any significant increase in activity due to the re-activation of the emailing routine after its initial 10 day sleep period.
W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin". The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1 and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet security zones to prevent this compromise.
Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.
Removal Tool
Symantec Security Response has posted a tool to remove infections caused by W32.Nimda.A@mm. Please go here to download the tool.
Virus Definitions
Virus Definitions may be downloaded using LiveUpdate or from the Symantec Security Response Web site at this location.
Symantec Solutions
Symantec offers a host of solutions to defend and protect against W32.Nimda.A@mm. Click here to review Symantec's recommendations on how to address W32.Nimda.A@mm and similar "blended threats".
Information for Macintosh users:
Although Macintosh computers cannot be infected by this worm, it can be passed through Macintosh email to Windows computers. Also, if you share a network with Windows computers, files could be placed on your hard drive. For additional information, read the document Are Macintoshes affected by the Nimda virus?
Information for Novell users
Novell servers are not directly vulnerable, but a Novell client running under Windows can access the Novell server and execute the file from there (using a login script or other means), which can spread the virus further.
NOTE: Microsoft has released a cumulative roll up for IIS 4.0 on NT 4.0 SP5 and later as well as all security patches released to date for IIS 5.0. This can be found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
Microsoft has provided information regarding this virus at the following website: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp
Also Known As: W32/Nimda@mm, PE_NIMDA.A, I-Worm.Nimda, W32/Nimda-A, Win32.Nimda.A
Type: Virus, Worm
Infection Length: 57344
Damage:
Distribution:
Infection by way of a Web Server
W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the web folder structure, and access files in it. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change or delete files or web pages on the compromised server. The limitations of the original vulnerability include:
1. The server configuration. The vulnerability only allows files to be accessed if they reside on the same logical drive as the web folders. For example, if a Web administrator had configured the server so that the operating system files were installed on the C drive and the Web folders were installed on the D drive, the attacker would be unable to use the vulnerability to access the operating system files.
2. The attacker must be logged onto the server interactively.
3. The privileges gained would be only those of a locally-logged-on user. The vulnerability only would allow the malicious user to take actions in the context of the IUSR_machinename account.
However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker is able to compromise a vulnerable IIS server remotely and once compromised, create a local account on the targeted server with administrator privileges regardless of which drive the IIS server is installed on. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use IIS servers that had previously been compromised by CodeRed II to propagate and to access root.exe from the inetpub/scripts directory.
NOTE: If Norton AntiVirus RealTime protection is detecting files such as "TFTP34%4.txt" as infected with W32.Nimda.A@mm in your inetpub/scripts folder, you may have been previously exposed to CodeRed II. It is recommended that you download and execute the CodeRed removal tool to make sure that your system has been cleaned of the CodeRed II threat. The tool can be found here.
The worm searches for Web servers using randomly generated IP addresses. Using the Unicode Web Traversal exploit, the worm copies itself to the Web server as admin.dll via TFTP. Infected machines create a listening TFTP server (port 69/UDP) to transfer copy of the worm.
This file is then executed on the Web server and copied to multiple locations. In addition to this exploit, the worm attempts to exploit already compromised web servers using the files root.exe or cmd.exe that are located in remotely executable web directories.
The worm then attempts to modify files named default, index, main or readme, or files with the extensions .htm, .html, or .asp, by adding JavaScript. The JavaScript causes visitors who open infected pages to be presented with Readme.eml, which was created by the worm. Readme.eml is an Outlook Express email file with the worm as an attachment. The email messages utilizes the MIME exploit. Thus, a computer may be infected simply by browsing the infected Web page.
System Modifications
When executed the worm determines from where it is being executed. The worm then overwrites Mmc.exe in the \Windows folder, or creates a copy of itself in the Windows Temporary folder.
The worm then infects executables, creates itself as .eml and .nws files, and copies itself as Riched20.dll in folders that contain .doc files on the local drive. The worm searches for files in the paths listed in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Shell Folders
The worm hooks the system by modifying the System.ini file as follows:
Shell = explorer.exe load.exe -dontrunold
It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows .dll file that is used by programs such as Microsoft Word. By replacing this file, the worm is executed each time programs such as Microsoft Word are executed.
The worm also registers itself as a service process or adds itself as a remote thread to the Explorer process. This allows the worm to continue to execute even when a user is not actively logged on.
The worm copies itself as the file:
%Windows\System%\load.exe
NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location
Next, the worm creates open network shares for all drives on the computer by modifying the registry key:
HKLM\Software\Microsoft\Windows\
CurrentVersion\Network\LanMan\[C$ -> Z$]
A reboot of the computer is required for these settings to take effect.
The worm searches for all open shares on the network by iterating through Network Neighborhood and by utilizing randomly generated IP addresses. All files on any open network shares are examined for possible infection. All .exe files are infected by the worm except Winzip32.exe.
Next, .eml and .nws files are copied to the open network shares and the worm copies itself over as Riched20.dll to any folder that contains .doc files.
The worm changes Explorer settings to not show hidden files and known file extensions.
The worm adds the user Guest under the groups Guests and Administrators. This gives the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required.
Mass-Mailer
Nimda contains a mass-mailing routine which is executed every 10 days. The worm begins this routine by first searching for email addresses. The worm searches for email addresses in .htm and .html files on the local system. The worm also uses MAPI to iterate through all messages that are contained in any MAPI-compliant email clients. Any MAPI supporting email clients may be affected including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From: addresses. Thus, mail sent from the infected computer will appear to have been sent by the people whose addresses have been found by Nimda, not by the person whose computer is infected.
The worm uses its own SMTP server to send out emails using the configured DNS entry to obtain a mail server record (MX record).
When the worm is received by email, the worm uses a old known MIME exploit to auto-execute itself. The worm will be unable to execute using Microsoft Outlook or Outlook Express if the system has been patched against this exploit. Information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Infecting Executables
The worm also attempts to infect .EXE files. First, the worm checks to see if the file is already infected. If the file is not infected the worm makes a copy of itself in the Temporary directory. The victim file is embedded inside the copy. This new file is then copied over the victim file replacing the originally clean file with an infected version. Infected executables will be approximately 57344 bytes larger. When an infected file is executed, the worm will extract the original clean file to a temporary file and execute it along with itself. Thus, one may not notice their executable has become infected.
During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create the file Wininit.ini with an entry to delete itself upon reboot.
When infecting files, the worm may create two temporary files in the Windows Temporary folder as:
- mep[nr][nr][letter][nr].TMP.exe
- mep[nr][nr][letter][nr].TMP
Both files will be hidden and have the system attribute set.
Ports used by this worm are listed below. It should be noted that these are all standard ports.
TCP 25 (SMTP) - used to send email to targets with addresses taken from the compromised client.
TCP 69 (TFTP) - opens port 69/udp for the TFTP transfer of admin.dll for the IIS infection. As part of this protocol it makes outgoing connections to transfer the files.
TCP 80 (HTTP) - uses this port to target vulnerable IIS servers.
TCP 137-139, 445 (NETBIOS) - used in the transmission of the worm.
Additionally, the worm watches for connections carrying a particular sequence of bytes and then opens a port specified in the incoming connection request. This port is not restricted to any particular range.
The worm contains bugs and can be resource intensive. Thus, not all actions may occur and system instability may be noticeable.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, a telnet server, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
- If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Symantec Security Response has posted a tool to remove infections caused by W32.Nimda.A@mm. Please go here to download the tool.
NOTE: Once a computer has been attacked by W32.Nimda.A@mm, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:
- Stealing or changing passwords or password files
- Installing remote-connectivity host software, also known as backdoors
- Installing keystroke logging software
- Configuring of firewall rules
- Stealing of credit card numbers, banking information, personal data, and so on
- Deletion or modification of files
- Sending of inappropriate or even incriminating material from a customer's email account
- Modifying access rights on user accounts or files
- Deleting information from log files to hide such activities
If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.
Manual Removal Instructions
If you cannot obtain the removal tool, or if it does not work in your situation, follow these steps:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Do one of the following:- If you are running Windows NT/2000/XP, skip to step 3.
- If you are running Windows 95/98/Me, edit the System.ini file as follows:
1. Click Start, and click Run.
2. Type the following, and then click OK:
edit c:\windows\system.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location, make the appropriate substitution.
3. Locate the line that begins with shell=\
4. Position the cursor immediately to the right of the equal sign.
5. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
6. Type the following text:
explorer.exe
The line should now look like:
shell=explorer.exe
NOTE: Some computers may have an entry other than Explorer.exe after shell=. If this is the case and you are running an alternative Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your preferred shell after you have finished this procedure.
7. Click File, click Exit, and then click Yes when you are prompted to save the changes.
3. Restart the computer.
NOTE: When your computer restarts, it is likely that infected files will be found. We recommend that you attempt to repair the infected file. Quarantine any file that is not repairable.
4. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instruction on how to do this, read the document How to configure Norton AntiVirus to scan all files.
5. Scan your system with NAV. For instruction on how to run a scan with NAV, read the document How to scan for viruses.
6. For each file detected as infected by W32.Nimda.A@mm or W32.Nimda.A@mm (html), choose Repair. Quarantine any file that is not repairable.
7. For each file detected as infected by W32.Nimda.A@mm (dr), W32.Nimda.enc, W32.Nimda.A@mm (dll), choose Delete.
8. Restore Admin.dll and Riched20.dll from backup, or from the Microsoft Windows or Office .cab files if necessary.
9. Remove unnecessary shares.
10. Delete the guest account from the Administrators group (if applicable).
System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.
How to extract the Riched20.dll
If you see errors when you start programs such as Microsoft Word, or the programs will not start, you need to extract the Riched20.dll file. (As an alternative, you can reinstall the operating system and the affected programs.)
Please see the instructions for your operating system.
NOTE: These instructions are provided for your convenience, and will work on most computers. For additional information on extracting files, including other Windows files that may have been damaged, read one of the following:Windows 95/98
You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system.
NOTES:- You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document How to create a Windows Startup disk.
- Have the Windows installation CD available.
- When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type
extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system
- If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows folder.
- For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
- As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn the computer back on. At the menu, select Start with CD-ROM support.
2. Type the command that applies to your operating system:- If you are using Windows 98, then type the following and press Enter:
extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system
- If you are using Windows 95, then type the following and press Enter:
extract /a win95_10.cab riched20.dll /L c:\windows\system
NOTE: If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.
Windows NT 4.01. Make sure that Windows is configured to show all files.
2. Search for and then delete all Riched20.dll files.
3. Reapply the most recent service pack. The service pack will replace the file with a new copy.
4. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office.
Windows 2000
If you are using Windows 2000, a built-in program will find and replace missing or corrupt system files. To replace the corrupted Riched20.dll, follow these steps:
1. Make sure System File Checker is enabled:1. Click Start and then click Run.
2. Type cmd and click OK.
3. Type the following and then press Enter:
sfc /enable
4. Type exit and then press Enter.
2. Make sure that Windows is set to show all files:1. Start Windows Explorer.
2. Click the Tools menu and then click Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK. 3. Search for Riched20.dll:1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C) and that Include subfolders is checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
riched20.dll
4. Click Find Now or Search Now.
5. Delete the files that are displayed. 4. Restart the computer.
5. System File Checker will replace any missing Riched20.dll files. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office.
Additional information:
Norton AntiVirus
Norton AntiVirus is the world's most trusted antivirus solution. Now it repairs common virus infections automatically, without interrupting your work. Automatic updating of virus definitions over the Internet is just as easy. Symantec's exclusive Script Blocking technology defends against fast-moving threats by identifying and stopping new script-based viruses such as "ILoveYou" even between virus definition updates. To safeguard your PC and prevent it from spreading viruses to your friends and colleagues, Norton AntiVirus scans and cleans both incoming and outgoing email. And for instant access to the most-needed functions, it integrates into Windows Explorer. If you do not have antivirus software, protect your computer from worms and viruses with Symantec's award-winning Norton AntiVirus 2002.
Norton AntiVirus Corporate Edition
Norton AntiVirus Corporate Edition provides best-of-breed, multi-platform, enterprise-wide virus protection at the desktop and file server tiers. The Digital Immune System, the result of two years collaborative work with IBM®, provides access to intelligent back-end services and exclusive automated response mechanisms. Closed-loop automation is a response feature that analyzes and deploys quality-tested cures faster than viruses can spread. Even in the face of unusually heavy demand during widespread attacks, Symantec's scalable back-end architecture ensures fast delivery of the virus definitions required for complete protection.
Norton AntiVirus for Gateways
Norton AntiVirus for Gateways scans compressed files at the SMTP gateway, automatically detecting viruses in email attachments including a nearly unlimited number of file extensions such as the ZIP, UUENCODE, and MIME formats. Since it also scans and repairs files contained within common compressed file formats, it provides solid defense against writers who often conceal viruses in compressed files. Using integrated proactive AntiVirus functions, administrators can block new and unknown viruses before a cure exists, preventing virus outbreaks from entering the organization.
Norton AntiVirus for Lotus Notes
Norton AntiVirus for Lotus Notes/Domino provides stable, reliable, and award-winning protection for Lotus Notes/Domino databases, including Lotus Domino Release 5. It offers administrators the most comprehensive, automatic protection available against new and existing viruses and keeps databases free from viruses, automatically scanning and repairing file attachments and embedded OLE objects in Notes mail and database documents. Efficient incremental scans minimize impact on network performance. And because administrators don't have to reinstall the scan engine every time a new virus is discovered, it significantly reduces total cost of ownership. Norton AntiVirus is easy to use because all operations are done using the Notes client.
Norton AntiVirus for Microsoft Exchange
Norton AntiVirus 2.5 for Microsoft Exchange automatically detects and removes old and new viruses on Exchange servers, providing the most comprehensive, automatic virus protection available. Using the latest virus scanning APIs from Microsoft, Norton AntiVirus for Microsoft Exchange scans both the email message body and attachments to provide maximum protection while minimizing the impact on network performance. Because administrators do not have to reinstall the scan engine to add new virus definitions, Norton AntiVirus significantly reduces cost of ownership.
Norton Internet Security
Norton Internet Security is the integrated online security suite from Symantec. The Norton Internet Security suite includes Norton AntiVirus, Norton Personal Firewall, Norton Privacy Control and Ad Blocking. The ability to easily update the suite (for the latest virus definitions, firewall rules, etc.) via LiveUpdate ensures that Norton Internet Security continues to provide security to the user's computer from the latest online threats.
Symantec Desktop Firewall
Symantec Desktop Firewall is the easiest to use and least intrusive solution for protecting remote users from hackers and corporate networks from back-door attacks. It deploys rapidly and works in the background, monitoring inbound and outbound communications. Remote installation and compatibility with leading VPNs make it an essential solution for securing remote communications.
Symantec Enterprise Firewall
Symantec Enterprise Firewall and Raptor Firewall will, through proper configuration, analyze HTTP requests and responses to ensure they adhere to the Requests for Comments (RFC) defining Web protocol behavior. This mechanism effectively blocks many common attacks that take advantage of protocol violations. In addition, Symantec Enterprise Firewall/Raptor Firewall version 6.5 or later can be configured to use URL pattern matching on rules to block against quantified threats on specific web server platforms.
Symantec VelociRaptor
VelociRaptor is a single-rack unit high (1RU), plug-and-protect appliance that ensures complete control of information entering and leaving the network. Its advanced data inspection technology filters traffic and integrates application level proxies, network circuit analysis, and packet filtering into the gateway security architecture. To bar access to private networks and confidential information, VelociRaptor applies full-inspection scanning techniques that ensure that data is validated at all seven levels of the protocol stack, including application proxies.
Symantec Enterprise Security Manager (ESM)
Symantec Enterprise Security Manager is a scalable security policy compliance and host-based vulnerability assessment tool. Using this tool you can detect systems that are running IIS server, detect systems that have the web Directory Traversal Vulnerability and can also detect modified files, new files and deleted files through its snapshot technology. It can also detect other modifications in the registry, useful in forensic analysis. If you have not already deployed ESM within your enterprise it is of limited use in recovering from a widespread compromise like W32.Nimda.A@mm. However, it has tremendous strength in mitigating the risk of the next W32.Nimda.A@mm type worm since it enforces best practices, e.g., identifying inadequate patch levels, unneeded services, and weak passwords. Click here to review the Enterprise Security Manager Security Response Policy for Nimda on Windows NT and Windows 2000.
Symantec NetRecon
Symantec NetRecon is a network vulnerability assessment scanner with root cause analysis capabilities. It detects systems that are running Web services, specifically Microsoft IIS and also detect systems that have the web Directory Traversal Vulnerability.
Symantec NetProwler
NetProwler is Symantec's network-based intrusion detection tool that continuously and transparently monitors your network for pattern of misuse or abuse. With Security Update 8 installed, NetProwler will detect the CodeRed worm and variants operating on your network. The NetProwler logs will identify each system compromised by the W32.Nimda.A@mm worm. NetProwler can also assist in forensic analysis by reviewing log entries to provide clues as to which host(s) on the network were first compromised by the worm.
Symantec Intruder Alert
Intruder Alert is a host-based Intrusion detection tool that detects unauthorized and malicious activity, keeping systems, applications, and data secure from misuse and abuse. The FileWatch function in Intruder Alert can monitor and detect mission-critical files for any changes, deletions, or movements that may have resulted from unauthorized access after W32.Nimda.A@mm compromise. In addition, Intruder Alert provides utilities to develop custom rules that can restore the compromised/changed files to their original state. Intruder Alert also monitors a system for suspicious behavior such as rootkit or DDoS agent installation, account creation, or modification. Intruder Alert can centrally manage log file events from across the network to assist in forensic analysis of compromised systems.
Symantec Web Security
Symantec Web Security protects web traffic at the HTTP/FTP gateway with high-performance, one-time scanning for viruses, malicious code, and inappropriate web content. It is the only solution that combines heuristic, context-sensitive analysis with list-based techniques for ensuring maximum protection against known and unknown malware threats and non-business-related web sites.
Write-up by: Eric Chien
|
