Bugtraq mailing list archives

Re: SAV9 Functionality Hole - misses virus files

From: Ben Blakely <blakely () krellinst org>
Date: Tue, 15 Mar 2005 12:26:28 -0600

Forgive me if this is misposted, but related to this issue:

I've been looking for some time for a good white paper or any technicaldocumentation regarding the communcation of SAV clients and servers, andSAV in general. One particularly annoying issue is the inability tochange the default Auto-Protect options. This means that when a newclient is installed (as we use encrypted SMTP) they are unable to sendemail until we have turned off "Email Auto-Protect" on that specificmachine in the SSC on the Parent server. In any case, if anyone has agood source of information regarding the internals of SAV 9, it would begreatly appreciated.


Regards,
/ben Blakely
Network Administrator
The Krell Institute

me3 () neuralfibre com wrote:

Product: Symantec AntiVirus Corporate Edition 9.0

Vulnerability: Files saved on the server but opened remotely via SMB are not scanned.

SAV9 runs as a client - server application. The client receives updates, the server pushes them out. This has no 
bearing on the platforms on which they run, nor on scanning operation. The server could run on an NT4 workstation and 
the clients on your 2003 servers.

When SAV9 is protecting the file server, and an unprotected client saves files to a share on the server, the files are 
not scanned.
When another unprotected client opens these files, they are not scanned by the server.
The server will only find these files during a scheduled scan.

Symantec documentation mentions file share scanning but makes no differentiation between opening the file on the client 
or the server. The documentation is misleading.
Technical support was advised and again recited the same misleading statement.

Picture this
1. Consultant visits and saves infected file to server
2. Client with laptop that didn't get latest update as was offline, comes in to work and opens file off the "safe, 
prrotected" server - infected laptop.

This also means from a licencing standpoint, the only point of running SAV on your file servers is to protect it when apps are run locally on that server. If you don't run apps on your server, there is little point in running SAV on it.

So much for defence in depth.

Testing Trend ServerProtect showed it instantly detected and deleted the virus on save.

Other AV products still to be tested.

Other questions relate to files published / saved through other protcols such as HTTP, SMB, Frontpage Server 
Extensions, TFTP, etc etc.

Conclusion
The API that Symantec is using is not on file open from the file system, but rather file open by the local desktop - 
this allows files to be saved and opened without being scanned.

Paul Young

Current thread:

SAV9 Functionality Hole - misses virus files me3 (Mar 15)
- Re: SAV9 Functionality Hole - misses virus files Harry Hoffman (Mar 15)
- Re: SAV9 Functionality Hole - misses virus files Ben Blakely (Mar 15)
- RE: SAV9 Functionality Hole - misses virus files batchelornpe (Mar 16)
- <Possible follow-ups>
- RE: SAV9 Functionality Hole - misses virus files Polazzo Justin (Mar 15)
- RE: SAV9 Functionality Hole - misses virus files Dewyngaert Brian Contr ANG/C4 (Mar 15)
- SAV9 Functionality Hole - misses virus files secure (Mar 16)
- Re: SAV9 Functionality Hole - misses virus files patrickwm71 (Mar 18)
- Re: SAV9 Functionality Hole - misses virus files secure (Mar 18)