WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
24 July, 2001
Norton AntiVirus 2002 Beta Security Issues

Security Alert
DTD: 24 July, 2001

Affected:
Norton AntiVirus 2002 Beta for Windows

Reference:
Beyond-Security's SecuriTeam.com Security Advisory, Norton AntiVirus 2002 Security Flaws, dtd: 17/7/2001, http://www.securiteam.com/windowsntfocus/5GP0C2A4UO.html as reported by Daniel Wischnewski.

Overview:
SecuriTeam's advisory references two issues. The first issue is a weak password scheme used with NAV's Quarantine that could be brute force decrypted to bypass the password protection or bypassed completely by modifying the appropriate .dat file. The second issue is the Norton AntiVirus AutoProtect service can be deactivated.

Details:
Norton AntiVirus 2002 beta Quarantine Password encryption - When Norton AntiVirus finds a file it can't repair; it safely isolates the file in a quarantine area. Quarantine is a repository for files that have been infected by viruses. Inside Quarantine, viruses are unable to spread into other areas of your computer. Preventing viruses from spreading safeguards your computer from further damage.

This allows the user to update their virus protection in order to fix the problem completely or to delete the suspect file. Norton AntiVirus' Quarantine can be password protected by the user/administrator. This is an option a user/administrator can make not Norton AntiVirus. The options in Quarantine allow a user to disable or enable certain features of Quarantine. Quarantine provides a safe environment where a user can effectively deal with virus infections on a file-by-file basis. This approach lets the user both delete non-essential files and save files that are critical to your work. Once inside the Quarantine, an infected file can be cleaned (if possible) or deleted permanently. And, if the user wishes, they can restore the cleaned file to its original location.

The SecuriTeam Advisory demonstrates a method used to recover the simple encrypted password scheme applied by Norton AntiVirus Quarantine. Knowing the password, an unauthorized user could modify any of the options set in the Quarantine UI. Further, password protection can be bypassed if the unauthorized user modifies the QuarOpts.dat file as indicated in the SecuriTeam advisory.

Resolution:
The primary purpose of Norton AntiVirus 2002 beta Quarantine password is to prevent inadvertent or intentional unauthorized changes to selected options, it is not to provide strong application security. The available options on the quarantine UI do not change or modify any form of Norton AntiVirus protection nor do they hold any important data. If the password option is selected, the user/administrator should protect their password as an enhancement to physical and personal security policies and features.

Norton AntiVirus 2002 beta AutoProtect service deactivated - AutoProtect is the name of the Norton AntiVirus real time scanner. Real time scanners are a typical feature found in a variety of antivirus software packages to automatically scan files being downloaded, copied, or executed on a workstation. With AutoProtect enabled under Norton AntiVirus, this service loads each time the machine is booted. Under a normal system configuration this service continues to run and scan files until the machine is powered off. SecuriTeam's advisory reports the startup method can be modified by changing the values in the registry controlling the behavior of the AutoProtect service. They further provide a JavaScript program that, if allowed to execute on the system, can change the Norton AntiVirus AutoProtect service from enabled to disabled. In the disabled configuration, the AutoProtect Service will not start up automatically the next time the targeted system is rebooted or restarted.

Resolution:
Norton AntiVirus 2002 beta real time and on demand scanners cannot be disabled through changes to the registry. Norton AntiVirus customers are completely safe. If a software tool were created to access the registry and modify any keys that would affect Norton AntiVirus components, a definition would be created to detect and stop that tool just as it would stop a virus. Further, Script Blocking prevents the script developed to automate the disable of AutoProtect from executing on the targeted system.

Unauthorized access to the system registry presents security concerns for any program(s), which use the registry to persist data. Protection of your system includes restricting physical access to your system and to administrative privileges. Registry security and Access Controls, depending on OS, should not be ignored. ACLs should be reviewed and adjusted in accordance to administrator preferences. Using windows defaults settings can lead to an unsecured registry.

Credit:
Symantec appreciates the support of Daniel Wischnewski and Beyond Security's SecuriTeam in identifying areas of concern so we can quickly address them.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Monday, 25-Oct-04 21:41:48