[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4619CB1B8D625544BF3764E6B346DA1F02F4BB24@helena.richmond.edu>
Date: Wed, 16 Aug 2006 13:59:18 -0400
From: "Faigle, Chris" <cfaigle@...hmond.edu>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Symantec Anti-Virus Corporate Edition: Download
Product Updates Using LiveUpdate Feature in Central Console
Does Not Work
Issue:
Symantec Anti-Virus Corporate Edition clients controlled via the
Symantec System Center Console do not follow the "Download product
updates using LiveUpdate" setting. This feature has been disabled by
Symantec according to their technical support.
Impact:
Clients cannot be told to automatically update to new releases
and maintenance patches from the SSC and this then must occur via
another mechanism, or pushed using the "Client Remote Install" option
which only works when a client is actively on-line and also does not
queue. This leaves installs of this "First-Line-of-Defense" product out
of date if any scan-engine or other vulnerabilities are found, until it
is upgraded using one of these other mechanisms, which may or may not be
possible within a reasonable period of time for any given client.
Background:
We have moved towards only installing software that can
automatically upgrade itself, due to the vast number of vulnerabilities
in software - need I say more.
We install (and require!) Symantec Anti-Virus Corporate Edition
(currently version 10.1.x.x) for faculty, staff and student machines.
Clients point to our SAV server, which controls their behavior,
or they can be put in a group where the machine administrator can
control the client behavior. This is controlled via a "GRC.dat" file
which is updated on the server when a change is made using the SSC and
then pulled down by the client.
Faculty and Staff machines are on the domain and are in general
managed by SMS, which does allow us to put together an upgrade package
for SAV, but requires manual effort on my part.
Student machines may or may not be on the domain, but are not
managed by us in any way. They also may also not be on our network for
long periods of time (e.g. summers, study abroad). The only way we have
to enforce an upgrade here is to pull our student network registration
file and update our Active X control
(http://is.richmond.edu/security/Downloads.htm) to check for the new
version and then force re-registration. This will only work for student
machines on our network and will have no effect on students over the
summer, etc. Re-registration is also a business interrupting event.
The SAV client is considered first LOD, since it scans e-mail,
web and disk files before they are opened by the OS or application. It
also has a set of ports it communicates via.
I spoke with Symantec's Platinum support about why these clients
do not upgrade themselves even though I have this set on our server for
machines which are not in a specific administrator controlled group.
The helpful tech person said that support for this was removed
since corporate customers did not want machines to reboot and the AV
upgrade requires a reboot, however the check box still exists.
I responded that most modern software (Windows, Mac, IE, Adobe,
etc) has this feature in the standard Install Now/Install Later and
Reboot Now/Reboot Later format.
He also said that we would not want these clients to suck down
large updates via the internet, however I responded that is standard for
updates for e.g. Macs, Windows, Adobe, etc. and I am much more worried
about mass compromise of machines that I am about network traffic.
He said he understood the issue and that I was welcome the make
a feature request via the Platinum Support web page, however I figured
FD might draw a faster and better response and that others would want to
know this information.
Conclusion:
Installing this software without a mechanism for automatic
upgrades on unmanaged machines poses a potential security risk.
I welcome any response from Symantec in the FD forum and in
particular I welcome any corrections if I have unintentionally erred in
any way in the description above.
Regards,
Chris Faigle
University of Richmond
IS Security
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists