Some Symantec AV engines don't catch re-encoded viruses/worms

• Previous message: Drew Copley: "Re: Microsoft and Security"
• Next in thread: Geoffrey Moon: "Re: Some Symantec AV engines don't catch re-encoded viruses/worms"
• Maybe reply: Geoffrey Moon: "Re: Some Symantec AV engines don't catch re-encoded viruses/worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 28 Jun 2004 08:29:48 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Summary: Symantec Antivirus Corporate Edition versions 7.x-9.00* do not
scan for e-mails that contain viral/worm code that has been re-encoded.

First report to vendor: 19 March 2004 via telephone to the product support
group and then again a few days later directly to the Product Manager.

Example: http://www.terabyte.net/sav_mime/sample_re-encoded_virus.txt

*9.00 has an option in dec3.cfg to enable this, but it is disabled by
default. More info on this can be found by going to
http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/b4aab93746190de788256e6d00585b47?OpenDocument&src=bar_sch_nam
. To my knowledge there are no options available for enabling this in 7.x
or 8.x at this time.

Initially Symantec stated the reason this was not being scanned for was
that it would increase the CPU time required to process all virus
scans. When we had Pentium 100’s I could see that. Given the slowest
system today is well over 2Ghz I doubted that was a real problem. To test
their claims we created 1,001 copies of the sample and stored them as text
files on a test system (Dell 2.8 Ghz P4, 533Mhz FSB, 768MB PC2700 RAM,
ATA-100 hard drive, XP Pro SP1 fully patched). Based on scan logs it does
take longer to scan the 1,001 files (SAV 9 finds 3 files to scan in each
text file) with the option turned on (15 seconds vs 3:41 if every one of
the 1,001 files contains the virus).

If, however, only 1 of the 1,001 files has this type of virus and the rest
have no virus then the time difference is not even recorded in the scan
logs (15 seconds vs. 15 seconds). I submit that the chances of 1,001
multi-encoded viruses coming to a desktop or server at any given time are
remote at best, but if it happens I'm willing to give up the time it takes
to scan them, especially since Symantec has implied that it’s rare to see
this in the wild.

Symantec went on to say that they have tested and found that enabling this
produced more false positives. I'm not quite sure I buy that and asked for
further explanation a couple days ago. I've not received a reply as
yet. IMHO, they simply have to decode the e-mails and scan and once
decoded the code should appear like it would if the virus were only encode
one time. If the decoding is done properly, just like they decode zip
files one at a time to look for more inside the first then they should be
able to detect with equal accuracy the multi-encoded viruses as they do
with a single encoded MIME attachment. In addition, other Symantec
products already scan for this type of encoding and as such would have an
equally high false positive rate. Given the nature of viruses today and
how nasty they can be, I'd rather have one false positive than one false
negative. This isn't the criminal justice system, these are viruses
written by people often driven and determined to cause harm. I'd much
rather quarantine a false positive document and go back later and determine
that it’s safe than to allow a virus through that some all-to-curious user
figures out a way to execute.

BTW, I'm also betting that if there were 1,001 properly formatted MIME
encoded text files each containing a virus on this same system that it
would take similar time to scan and quarantine each of them than it did for
the re-encoded samples. I did not test that, but will be happy to if
someone wants me to.

Again, my tests are not scientific, but they do, I believe, prove that with
the option turned on, if there are no re-encoded viruses, then scan times
are essentially not affected on normal files or e-mails. If, as Symantec
has suggested, this type of virus encoding is extremely rare in the wild
then enabling this option should have no general impact on CPU usage or
false positives but it could prevent some “too smart for our own good” user
from taking the virus out of the re-encoded portion of the e-mail, using a
MIME decoder to extract the virus in an attempt to see what it does. Now
of course we would hope that at that point the standard AV engine would
catch this, but if we totally relied on that engine why do we scan e-mails
on their way in anyway? Shouldn't we just not use MX AV servers, mail
server AV engines, and disable SAV CE 9’s SMTP proxy engine? Security has
become multi-tiered and if we’re to rely on one product to provide those
multiple levels of protection then the product needs to be as comprehensive
as current technology allows.

How has Symantec moved forward? First, SAV CE v9 has the ability to do
this, but first you need to know you need to enable and then you do have to
modify a file manually on each machine to enable it. 8.x and 7.x do not
have this ability at this time according to the people I've spoken with at
Symantec.

Interestingly enough, while Symantec’s people have indicated that they
didn't feel it was a real threat, that it used too much CPU to enable it,
that it causes too many false positives, and that the threat was unlikely
to be seen in the wild, their retail products since at least 2001 have
scanned for and caught files with this type of encoding. In my experience
retail customers are less likely to understand why a file was falsely
quarantined than corporate customers with an IT person responsible for
looking into virus issues. Furthermore, Symantec Mail Security for SMTP
v4.0 also by default scans for and catches this type of encoded viruses (v3
and other mail security products from Symantec like the AV plug-in for
IPSwitch's IMail Pro do not either). There’s an option in SMS SMTP 4 to
turn this ability off, but it is ON by default.

My issue here isn't so much that an atypically encoded file is not caught
by corporate edition products, it’s that Symantec is making security
decisions for us.

Symantec has apparently determined different levels of protection are
needed for retail users than corporate users and without knowing exactly
what version you have to be running and how to enable it in that version
few if any admins would know to even ask if there is a difference
(especially since SAV CE 9 is said to be using the retail scanning
engine). I submit that it’s not Symantec’s job to determine what’s safe on
our systems and what’s not, either at work or at home. If they have the
technology to catch any form of a particular virus I submit that’s our
decision. I believe security products should be tight. Locked
down. Restrictive to the point of frustration but with options to loosen
restrictions if they interfere with day-to-day business activities. At
that point Admins, after careful consideration, can make decisions on what
they want to allow and not and make those changes in the administration GUI
not in a configuration file that until recently wasn't documented well if
at all.

To be fair, Symantec issued a statement to me on 22 June 2004. It was
issued by Symantec’s Senior Security Analyst. In summary, they don't
believe this “to be a vulnerability issue.” They correctly state that the
virus as encoded is not an immediate threat; however, they fail to see that
zipped viruses are also not an immediate threat and yet every version of
Symantec AV supports scanning multiple layers deep inside zip archives for
viruses, which most certainly has an impact on CPU usage, so in this case
it’s one encoding type (zip) vs. another (MIME). They agree that some of
their products do detect for this type of encoding, though they don't
specifically address why retail products have done this for 4 years and
corporate edition products only started doing it this year and then it’s
off by default on their flagship product. The entire text of their
response can be found at
http://www.terabyte.net/sav_mime/Symantec_response.pdf. Note I have munged
the names and e-mail addresses of Symantec employees as well as my own
private e-mail address to protect the privacy of those individuals. Other
than those changes this PDF is Symantec’s unedited response. Please also
note this PDF requires Adobe Acrobat or Acrobat Reader 5.0 or greater.

How much of an issue is this? In the grand scheme of things, probably not
much. Though the real question here is who should be making final
determinations about what is and isn't dangerous and I believe it isn't the
job of the security software vendor. Absolutely they’re there to advise,
but in the end it’s our data, our profits (or losses), and our jobs. How
many bosses want to hear ‘well, you know that AV product you bought because
I told you to? Well, it didn't catch that virus that the new hot-shot
employee you just hired decided he'd decode it and, well, it just caused a
few hundred thousand dollars in damage and ruined your vacation next week.’

Symantec obviously has the ability to scan and detect this type of encoded
virus, the question is why do they enable it on some products by default,
disable it on others by default, and still an entirely different group of
products have supported it for years. It’s your data. Shouldn't you be
able to determine how secure you want to be?

Thanks…

Sincerely,
Terabyte Computers, Inc.

Brian S. Bergin
President

http://www.terabyte.net

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Drew Copley: "Re: Microsoft and Security"
• Next in thread: Geoffrey Moon: "Re: Some Symantec AV engines don't catch re-encoded viruses/worms"
• Maybe reply: Geoffrey Moon: "Re: Some Symantec AV engines don't catch re-encoded viruses/worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]