RE: SAV9 Functionality Hole - misses virus files

[Dewyngaert Brian Contr ANG/C4 <Brian.Dewyngaert () ang af mil>]

Please advise as to what version of SAV your refer to, as we have done
several tests with File servers over here and are unable to reproduce the
issue you state.   In fact we see the exact opposite.  We tested on SAV 9
MR3, with the Eicar test virus and each time we tried to push the file to
the server from an unprotected client our file was immediately removed.  We
had to go so far as to copy the EICAR test string in memory and paste it
into a file.  As soon as we saved it and closed the file from editing it was
removed by SAV.


Brian Dewyngaert Jr. 

 

This message may contain confidential and/or legally privileged information.
If it has been sent to you in error, please reply immediately to advise the
sender of the error and then destroy this message, any copies of this
message and any printout of this message. If you are not the intended
recipient of the message, any unauthorized dissemination, distribution or
copying of the material in this message, and any attachments to the message,
is strictly forbidden.


-----Original Message-----
From: Harry Hoffman [mailto:hhoffman () ip-solutions net] 
Sent: Tuesday, March 15, 2005 11:42 AM
To: bugtraq () securityfocus com
Subject: Re: SAV9 Functionality Hole - misses virus files

Does the "realtime protection" not catch the files being saved to disk?

me3 () neuralfibre com wrote:
> Product: Symantec AntiVirus Corporate Edition 9.0
>
> Vulnerability: Files saved on the server but opened remotely via SMB are
not scanned.
> SAV9 runs as a client - server application. The client receives updates,
the server pushes them out. This has no bearing on the platforms on which
they run, nor on scanning operation. The server could run on an NT4
workstation and the clients on your 2003 servers.
> When SAV9 is protecting the file server, and an unprotected client saves
files to a share on the server, the files are not scanned.
> When another unprotected client opens these files, they are not scanned by
the server.
> The server will only find these files during a scheduled scan.
>
> Symantec documentation mentions file share scanning but makes no
differentiation between opening the file on the client or the server. The
documentation is misleading.
> Technical support was advised and again recited the same misleading
statement.
> Picture this
> 1. Consultant visits and saves infected file to server 2. Client with 
> laptop that didn't get latest update as was offline, comes in to work and
opens file off the "safe, prrotected" server - infected laptop.
> This also means from a licencing standpoint, the only point of running SAV
on your file servers is to protect it when apps are run locally on that
server. If you don't run apps on your server, there is little point in
running SAV on it. 
> So much for defence in depth.
>
> Testing Trend ServerProtect showed it instantly detected and deleted the
virus on save.
> Other AV products still to be tested.
>
> Other questions relate to files published / saved through other protcols
such as HTTP, SMB, Frontpage Server Extensions, TFTP, etc etc.
> Conclusion
> The API that Symantec is using is not on file open from the file system,
but rather file open by the local desktop - this allows files to be saved
and opened without being scanned.
> Paul Young