Re: SAV9 Functionality Hole - misses virus files

secure_at_symantec.com
Date: 03/18/05

  • Next message: Paul S. Owen: "RE: [phpbb <= 2.0.13 full path disclosure & directory listing]"
    Date: 18 Mar 2005 21:26:53 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20050315062647.21534.qmail@www.securityfocus.com>

    >Date: 15 Mar 2005 06:26:47 -0000
    >Message-ID: <20050315062647.21534.qmail@www.securityfocus.com>
    >Content-Type: text/plain
    >Content-Disposition: inline
    >Content-Transfer-Encoding: binary
    >MIME-Version: 1.0
    >X-Mailer: MIME-tools 5.411 (Entity 5.404)
    >From: <me3@neuralfibre.com>
    >To: bugtraq@securityfocus.com
    >Subject: SAV9 Functionality Hole - misses virus files
    >
    >
    >
    >Product: Symantec AntiVirus Corporate Edition 9.0
    >
    >Vulnerability: Files saved on the server but opened remotely via SMB are not scanned.
    >
    >SAV9 runs as a client - server application. The client receives updates, the server pushes them out. This has no bearing on the platforms on which they run, nor on scanning operation. The server could run on an NT4 workstation and the clients on your 2003 servers.
    >
    >When SAV9 is protecting the file server, and an unprotected client saves files to a share on the server, the files are not scanned.
    >When another unprotected client opens these files, they are not scanned by the server.
    >The server will only find these files during a scheduled scan.
    >
    >--------------snip-----------------
    >Conclusion
    >The API that Symantec is using is not on file open from the file system, but rather file open by the local desktop - this allows files to be saved and opened without being scanned.
    >
    >Paul Young
    -------------------------------end

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Symantec Response

    Symantec engineers throughly tested SAV9 in the configuration
    reported by the poster scanning all share files and could find no
    issues in any of our testing.

    SAV 9 is NOT vulnerable to the issues identified by the poster.

    Symantec contacted the poster and worked with him to review his
    configuration and environment to determine why he is seeing what he
    had reported.

    Symantec and the poster determined there was a configuration issue in
    the way the poster had his Real-Time Virus Scan options set. File
    types were being excluded from the scan that gave the erroneous
    impression that SAV9 was not scanning files that should have been
    scanned. To the contrary, SAV9 was operating exactly as it was
    configured to.
    Symantec encourages all customers to confirm configuration settings
    to ensure files are properly scanned.

    Symantec Product Security Team

    Symantec takes the security of our products seriously and adheres to
    responsible disclosure. Our response policies can be viewed at
    http://www.symantec.com/security.
    Symantec will work closely with anyone who believes they have found a
    security issue in a Symantec product to validate the problem and
    coordinate any response deemed necessary.

    Please contact secure@symantec.com concerning security issues with
    Symantec products.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBQjtI5ALsezw0Sg5hEQLGWgCgslSf5Rd37MAp/YvTF+UQP6s9ZVYAoKHj
    V/6DDzQwEnZxvgXoBb84X8DI
    =KZCz
    -----END PGP SIGNATURE-----


  • Next message: Paul S. Owen: "RE: [phpbb <= 2.0.13 full path disclosure & directory listing]"

    Relevant Pages

    • Re: Cant see performance report, etc. SBS2003
      ... When you install Symantec EP it adds Symantec to the web-sites in IIS. ... Reporting in server management does not work and give HTTP 404 error. ... Reinstall Monitoring component: ...
      (microsoft.public.windows.server.sbs)
    • Re: symantec antivirus can not auto update behind isa 2004
      ... I have SBS2000 with ISA2000 and dual NIC configuration. ... I use SSC to administer Symantec Antivirus Corporate Edition version 8.x ... I have configured the SAVCE clients to obtain updates from MY SERVER ... I disabled the schedule in the Symantec System Center and I scheduled ...
      (microsoft.public.isa.clients)
    • Re: symantec antivirus can not auto update behind isa 2004
      ... I have SBS2000 with ISA2000 and dual NIC configuration. ... I use SSC to administer Symantec Antivirus Corporate Edition version 8.x ... I have configured the SAVCE clients to obtain updates from MY SERVER ... I disabled the schedule in the Symantec System Center and I scheduled ...
      (microsoft.public.isa.enterprise)
    • Re: symantec antivirus can not auto update behind isa 2004
      ... I have SBS2000 with ISA2000 and dual NIC configuration. ... I use SSC to administer Symantec Antivirus Corporate Edition version 8.x ... I have configured the SAVCE clients to obtain updates from MY SERVER ... I disabled the schedule in the Symantec System Center and I scheduled ...
      (microsoft.public.isaserver)
    • Re: symantec antivirus can not auto update behind isa 2004
      ... I have SBS2000 with ISA2000 and dual NIC configuration. ... I use SSC to administer Symantec Antivirus Corporate Edition version 8.x ... I have configured the SAVCE clients to obtain updates from MY SERVER ... I disabled the schedule in the Symantec System Center and I scheduled ...
      (microsoft.public.isa)