Endpoint Protection

Is Symantec Endpoint Protection vunerable to the SSDT hooking hijack attacks reported by Matousec?

http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

They did not test SEP for this issue but another Symantec product "Norton Internet Security 2010 17.5.0.127" was found to be vunerable.

Check this blog and let us know whether it helped.

https://www-secure.symantec.com/connect/blogs/reality-check-patchguard

Alas no it does not cover this issue.

The researchers have shown that they can initiate a race condition where they offer up benign code to be checked by the realtime AV tools and then switch in malicious code before the CPU executes it. This will allow execution of malicious code on a fully patched system running for a non privileged user. The exploit code would be detected by a full virus scan,  but these happen on a daily (or weekly) scedule and will often be far too late.

 

Here is a link to the subject Jaggar is refering to.
http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
And I am looking forward to the Symantec answer...

The headlines about this method are going to scare the rank and file. Looking for any comment from Symantec re: Endpoint by itself or used in conjunction with other layers of defense (yes, insert other vendor name here).

I too am concerned with this and have been asked about it by management already. I have been checking back for a satisfactory response and am disappointed by the lack thereof. The lack of an answer may be answer enough.......

Any updates from Symantec regarding this?

Everything I have seen (from multiple vendors) would indicant that you have to already have administrative credentials on a machine to be able to exploit this vulnerability.  That limits the effectiveness of any potential attack.  Also, vendors that use mini filter drivers as opposed to kernel hooking would not be affected by this type of attack.

However, my larger concern is that there is still the possibility of someone being an administrator on their machine and receiving an email that links to a website that exploits the vulnerabily and bypasses or effectively "turns off" A/V for other attacks to take place.  To me, that's where the risk seems to be.

You would be surprised but a lot of large organizations give their users Admin rights by default. To much money was being spent on help desk calls due to the lack of admin rights. Most were due to printer or software installs.

It takes a fairly large file from what I understand, too......... so it would need to be some sort of web-based thing, or email to a user who was admin.

the article that drew my attention to this issue indicates that this is not strictly limited to a local admin

"A user without administrative rights could also use the attack to kill an installed and running AV"

http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/

I think the main point is that the machine has to be owned already by some other piece of malware before this is likely to happen.   ...Meaning you already have problems before the kernel hooking starts....

Tekkid: Let's hope so, and as soon as Symantec makes that statement I will have something concrete to take to my Betters, heh. But as Jagger noted, 1) a Symantec product was mentioned as having been bested, and 2) my company pays a crapload of money every year for the best product, silence is what you get when you use ShareWare and Open Source :-)

-Browclops

My problem is that I may be in trouble but I need the alert that I am in trouble NOW. I do not want to wait till my daily scans catch it 23:59 later. A data breach is something that I need immediate access to. If Symantec can't assure me that this isn't an issue I am going to start looking into a solution that can.