Re: SAV9 Functionality Hole - misses virus files

[<secure () symantec com>]

In-Reply-To: <20050315062647.21534.qmail () www securityfocus com>


> Date: 15 Mar 2005 06:26:47 -0000
> Message-ID: <20050315062647.21534.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: <me3 () neuralfibre com>
> To: bugtraq () securityfocus com
> Subject: SAV9 Functionality Hole - misses virus files
>
>
>
> Product: Symantec AntiVirus Corporate Edition 9.0
>
> Vulnerability: Files saved on the server but opened remotely via SMB are not scanned.
>
> SAV9 runs as a client - server application. The client receives updates, the server pushes them out. This has no 
> bearing on the platforms on which they run, nor on scanning operation. The server could run on an NT4 workstation and 
> the clients on your 2003 servers.
>
> When SAV9 is protecting the file server, and an unprotected client saves files to a share on the server, the files are 
> not scanned.
> When another unprotected client opens these files, they are not scanned by the server.
> The server will only find these files during a scheduled scan.
>
> --------------snip-----------------
> Conclusion
> The API that Symantec is using is not on file open from the file system, but rather file open by the local desktop - 
> this allows files to be saved and opened without being scanned.
>
> Paul Young
-------------------------------end

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec Response

Symantec engineers throughly tested SAV9 in the configuration
reported by the poster scanning all share files and could find no
issues in any of our testing. 

SAV 9 is NOT vulnerable to the issues identified by the poster.

Symantec contacted the poster and worked with him to review his
configuration and environment to determine why he is seeing what he
had reported.  

Symantec and the poster determined there was a configuration issue in
the way the poster had his Real-Time Virus Scan options set.  File
types were being excluded from the scan that gave the erroneous
impression that SAV9 was not scanning files that should have been
scanned.  To the contrary, SAV9 was operating exactly as it was
configured to.
Symantec encourages all customers to confirm configuration settings
to ensure files are properly scanned.

Symantec Product Security Team

Symantec takes the security of our products seriously and adheres to
responsible disclosure.  Our response policies can be viewed at
http://www.symantec.com/security. 
Symantec will work closely with anyone who believes they have found a
security issue in a Symantec product to validate the problem and
coordinate any response deemed necessary.  

Please contact secure () symantec com concerning security issues with
Symantec products.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQjtI5ALsezw0Sg5hEQLGWgCgslSf5Rd37MAp/YvTF+UQP6s9ZVYAoKHj
V/6DDzQwEnZxvgXoBb84X8DI
=KZCz
-----END PGP SIGNATURE-----