RE: SAV9 Functionality Hole - misses virus files

batchelornpe_at_moatschool.org.uk
Date: 03/16/05

  • Next message: secure_at_symantec.com: "SAV9 Functionality Hole - misses virus files"
    To: <bugtraq@securityfocus.com>
    Date: Wed, 16 Mar 2005 17:13:41 -0000
    
    

     
    SAV can be *configured* to behave like this.

    I believe that such a configuration was a work-around to a bug in an older
    version relating to word documents opening read-only across a network.

    Could I just add my voice to those requesting more detailed documentation as
    to how SAV actually works? Sometimes it really does feel like those of us on
    Gold Support contracts are scratching around in the dark.

    Nick Batchelor

    -----Original Message-----
    From: me3@neuralfibre.com [mailto:me3@neuralfibre.com]
    Sent: 15 March 2005 06:27
    To: bugtraq@securityfocus.com
    Subject: SAV9 Functionality Hole - misses virus files

    Product: Symantec AntiVirus Corporate Edition 9.0

    Vulnerability: Files saved on the server but opened remotely via SMB are not
    scanned.

    SAV9 runs as a client - server application. The client receives updates, the
    server pushes them out. This has no bearing on the platforms on which they
    run, nor on scanning operation. The server could run on an NT4 workstation
    and the clients on your 2003 servers.

    When SAV9 is protecting the file server, and an unprotected client saves
    files to a share on the server, the files are not scanned.
    When another unprotected client opens these files, they are not scanned by
    the server.
    The server will only find these files during a scheduled scan.

    Symantec documentation mentions file share scanning but makes no
    differentiation between opening the file on the client or the server. The
    documentation is misleading.
    Technical support was advised and again recited the same misleading
    statement.

    Picture this
    1. Consultant visits and saves infected file to server 2. Client with laptop
    that didn't get latest update as was offline, comes in to work and opens
    file off the "safe, prrotected" server - infected laptop.

    This also means from a licencing standpoint, the only point of running SAV
    on your file servers is to protect it when apps are run locally on that
    server. If you don't run apps on your server, there is little point in
    running SAV on it.

    So much for defence in depth.

    Testing Trend ServerProtect showed it instantly detected and deleted the
    virus on save.

    Other AV products still to be tested.

    Other questions relate to files published / saved through other protcols
    such as HTTP, SMB, Frontpage Server Extensions, TFTP, etc etc.

    Conclusion
    The API that Symantec is using is not on file open from the file system, but
    rather file open by the local desktop - this allows files to be saved and
    opened without being scanned.

    Paul Young


  • Next message: secure_at_symantec.com: "SAV9 Functionality Hole - misses virus files"

    Relevant Pages

    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
      (comp.object)
    • Re: More Get-IPlayer Questions
      ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
      (uk.comp.os.linux)
    • This is going straight to the pool room
      ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
      (comp.os.vms)
    • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
      ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
      (Full-Disclosure)
    • Re: What doesnt lend itself to OO?
      ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
      (comp.object)