CA InoculateIT 6.0 Realtime Scanner may fail to detect vira.

From: Karsten H. (karsten@EGOTRIP.DK)
Date: 11/29/02

  • Next message: Fernando Trias: "New Integrity Protection Driver (IPD) Available" 
    Date:         Fri, 29 Nov 2002 10:27:02 +0100
From: "Karsten H." <karsten@EGOTRIP.DK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Executive overview:

    We have recently closed a case with Computer Associates regarding a weakness
    in their realtime scanner when configured with incremental scan. This
    weakness would, in some cases, allow virus or trojan code to be saved to
    disk, and signed as clean.

    What is incremental scan:

    The Incremental Scan option is for scanning volumes that are formatted with
    the NTFS file system, to enhance scan performance. With this option in
    effect, a file is scanned once, and a cached record is kept. The file is not
    scanned again if it has not been modified since the last scan or if the
    scanning options have not changed. This eliminates the unneeded repetitive
    scanning of files that were already checked.

    Problem:

    If the Realtime Scanner has been set up to monitor 'Incoming and Outgoing
    Files' in Realtime Monitor Options, and 'Incremental Scan' has been
    activated under 'Advanced...' in the 'Selection' tab, it might be possible
    for the realtime scanner to write an alternate datastream, where the file is
    marked as having passed a successful antivirus-scan, before the file is
    fully written to the system.

    The problem has been reproduced on a newly installed windows 2000, where it
    has been possible to download and save the Klez.H virus to the local
    harddrive. Once the file has been downloaded and branded, it will not be
    detected as a virus when copied to other systems over the network, when
    these have a similar setup with incremental scan.

    Tech talk:

    When Internet Explorer downloads a file, the disk operations are done as a
    bunch of FASTIO_WRITEs. During this process the incremental scanner might
    scan the file and, if incremental scan is enabled, write an alternate data
    stream certifying the file as being clean before it's done. Internet
    Explorer will then download the rest of the file and the system then appears
    to rewrite InoculateIT's alternate datastream.

    Mitigating factors:

    * Incremental scan is not enabled by default, but might be enabled for
    performance reasons.
    * Incremental scan can only be used on NTFS-volumes (the windows NT-series
    of operating systems)
    * The file will be detected when a new antivirus definition is applied, and
    these are released daily.
    * Generally, the circumstances where this will happen are rare.

    Recomendation:

    CA has released a patch for their realtime scanner that disables the
    incremental scan option.
    Their later versions (6.1 is right around the corner) will include improved
    caching that makes incremental scanning less appealing, while their move to
    daily signature updates also removes quite a lot of the benefit from this
    functionality.

    An alternative, until you can apply the patch or a newer version of
    InoculateIT to your systems, is to disable incremental scan on the
    enterprise management server's policy for the realtime scanner, and disallow
    your users from changing their local settings from the policy's default. If
    this is the case, you'll want to modify the policy for all machines
    servicing interactive logons, such as workstations and terminal servers, and
    fileservers.

    Thanks to:
    Russ for assisting in bringing this issue to closure.
    Knud for valuable advice in past and present.
    The guys at CA that reacted promptly to the issue.

    Karsten H.
    system engineer

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo