lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41C41371A849C4438E658517CFE4A7741C6128@MAIL.fac.gatech.edu>
Date: Tue, 15 Mar 2005 12:52:09 -0500
From: "Polazzo Justin" <Justin.Polazzo@...ilities.gatech.edu>
To: <me3@...ralfibre.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: SAV9 Functionality Hole - misses virus files


Just got off the phone with Symantec gold support for a different reason
but they had stated that while they do not scan Memory or the Swap File,
the 0 Ring driver they use will scan anything written to a HDD. This
would mean that if you have scanning of network drives enabled on the
client, both server and client would scan the file as it was being
written. 

Guess your testing is contrary to this statement, any proof? I would
love to have (yet) another reason to switch AV companies.

BTW if you are putting SAV9 client on a 2003 server make sure you
disable the email tools completely (not selecting the child options
isn't enough,) If you don't it puts a hook into the MS tcp/ip stack at
ports 110 and 80 (doesn't protect imap in any form whatsoever according
to the rep I spoke with). The outlook and Lotus snap-ins will scan
whatever data is pulled through their respective apps (upon further
prodding Symantec admitted it was scanning part of memory with the mail
client, but I am still fuzzy on where the tcp/ip stack is actually
located; anyone care to explain :)

-JP



-----Original Message-----
From: me3@...ralfibre.com [mailto:me3@...ralfibre.com] 
Sent: Tuesday, March 15, 2005 1:27 AM
To: bugtraq@...urityfocus.com
Subject: SAV9 Functionality Hole - misses virus files



Product: Symantec AntiVirus Corporate Edition 9.0

Vulnerability: Files saved on the server but opened remotely via SMB are
not scanned.

SAV9 runs as a client - server application. The client receives updates,
the server pushes them out. This has no bearing on the platforms on
which they run, nor on scanning operation. The server could run on an
NT4 workstation and the clients on your 2003 servers.

When SAV9 is protecting the file server, and an unprotected client saves
files to a share on the server, the files are not scanned.
When another unprotected client opens these files, they are not scanned
by the server.
The server will only find these files during a scheduled scan.

Symantec documentation mentions file share scanning but makes no
differentiation between opening the file on the client or the server.
The documentation is misleading.
Technical support was advised and again recited the same misleading
statement.

Picture this
1. Consultant visits and saves infected file to server 2. Client with
laptop that didn't get latest update as was offline, comes in to work
and opens file off the "safe, prrotected" server - infected laptop.

This also means from a licencing standpoint, the only point of running
SAV on your file servers is to protect it when apps are run locally on
that server. If you don't run apps on your server, there is little point
in running SAV on it. 

So much for defence in depth.

Testing Trend ServerProtect showed it instantly detected and deleted the
virus on save.

Other AV products still to be tested.

Other questions relate to files published / saved through other protcols
such as HTTP, SMB, Frontpage Server Extensions, TFTP, etc etc.

Conclusion
The API that Symantec is using is not on file open from the file system,
but rather file open by the local desktop - this allows files to be
saved and opened without being scanned.

Paul Young




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ