Re: [Full-Disclosure] Symantec AntiVirus and AOL

From: Maxim S. Shatskih (maxim_at_STORAGECRAFT.COM)
Date: 10/26/03

  • Next message: Dolan, David: "Re: Symantec AntiVirus and AOL"
    Date:         Sun, 26 Oct 2003 20:14:12 +0300
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    >anyone has experience with device drivers then am I right that once a vendors
    intermediate
    >evice driver sets the NCD_VIRTUAL bit then they have done their duty as far as
    saying they
    >re a fake adapter? Is the burden then on Symantec to check the flags of
    adapters they are

    Regardless of all this stuff, I expect the Windows app to use rpcrt4!UuidCreate
    or ole32!CoCreateGuid to generate GUIDs. If Symantec's antivirus violates this
    rule - then this looks suspiciously by itself.

    For instance, these routines encrypt GUIDs in a way that the original MAC
    address is not distinguishable. If Symantec uses the MAC addresses literally in
    the GUIDs - then this is a privacy leak at least.

    Using the MAC address of the virtual adapter (on the upper egde of some MUX IM)
    is just funny, since it is emulated in the machine code which responds to OID
    query, and can be emulated, for instance, by repeating the MAC address of the
    one of the underlying adapters.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    maxim@storagecraft.com
    http://www.storagecraft.com

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Dolan, David: "Re: Symantec AntiVirus and AOL"