Re: [Full-Disclosure] Symantec AntiVirus and AOL

From: Maxim S. Shatskih (maxim_at_STORAGECRAFT.COM)
Date: 10/26/03

  • Next message: Dolan, David: "Re: Symantec AntiVirus and AOL"
    Date:         Sun, 26 Oct 2003 20:14:12 +0300
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    >anyone has experience with device drivers then am I right that once a vendors
    intermediate
    >evice driver sets the NCD_VIRTUAL bit then they have done their duty as far as
    saying they
    >re a fake adapter? Is the burden then on Symantec to check the flags of
    adapters they are

    Regardless of all this stuff, I expect the Windows app to use rpcrt4!UuidCreate
    or ole32!CoCreateGuid to generate GUIDs. If Symantec's antivirus violates this
    rule - then this looks suspiciously by itself.

    For instance, these routines encrypt GUIDs in a way that the original MAC
    address is not distinguishable. If Symantec uses the MAC addresses literally in
    the GUIDs - then this is a privacy leak at least.

    Using the MAC address of the virtual adapter (on the upper egde of some MUX IM)
    is just funny, since it is emulated in the machine code which responds to OID
    query, and can be emulated, for instance, by repeating the MAC address of the
    one of the underlying adapters.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    maxim@storagecraft.com
    http://www.storagecraft.com

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Dolan, David: "Re: Symantec AntiVirus and AOL"

    Relevant Pages

    • Re: GetAdaptersInfo NetWorkAddress
      ... Smartphone (Windows Mobile) connected via ActiveSync. ... function returns two MAC addresses. ... Adapter? ... Microsoft MSDN Online Support Lead ...
      (microsoft.public.win32.programmer.networks)
    • Re: Uniquely identifying PCs
      ... Display Adapter ... Network Adapter and its MAC Address ... and hard drives scanned for special info in the bad track lists. ...
      (comp.sys.ibm.pc.hardware.chips)
    • Re: vbs script
      ... current nic card or cards in the computer. ... but i have a little vbs script that we use to print basic info about the computer and then we print it off and paste to the computer. ... RAS Async Adapter mac addresses I just want the macs for the Nic's ...
      (microsoft.public.scripting.vbscript)
    • Re: GetAdaptersInfo NetWorkAddress
      ... MIB_IF_TYPE_ETHERNET the adapter is ethernet. ... This posting is provided "AS IS" with no warranties, and confers no ... rights. ... GetAdaptersInfofunction returns two MAC addresses. ...
      (microsoft.public.win32.programmer.networks)