<<< Date Index >>>     <<< Thread Index >>>

Re: SAV9 Functionality Hole - misses virus files



Does the "realtime protection" not catch the files being saved to disk?

me3@xxxxxxxxxxxxxxx wrote:

Product: Symantec AntiVirus Corporate Edition 9.0

Vulnerability: Files saved on the server but opened remotely via SMB are not 
scanned.

SAV9 runs as a client - server application. The client receives updates, the 
server pushes them out. This has no bearing on the platforms on which they run, 
nor on scanning operation. The server could run on an NT4 workstation and the 
clients on your 2003 servers.

When SAV9 is protecting the file server, and an unprotected client saves files 
to a share on the server, the files are not scanned.
When another unprotected client opens these files, they are not scanned by the 
server.
The server will only find these files during a scheduled scan.

Symantec documentation mentions file share scanning but makes no 
differentiation between opening the file on the client or the server. The 
documentation is misleading.
Technical support was advised and again recited the same misleading statement.

Picture this
1. Consultant visits and saves infected file to server
2. Client with laptop that didn't get latest update as was offline, comes in to work and 
opens file off the "safe, prrotected" server - infected laptop.

This also means from a licencing standpoint, the only point of running SAV on your file servers is to protect it when apps are run locally on that server. If you don't run apps on your server, there is little point in running SAV on it.
So much for defence in depth.

Testing Trend ServerProtect showed it instantly detected and deleted the virus 
on save.

Other AV products still to be tested.

Other questions relate to files published / saved through other protcols such 
as HTTP, SMB, Frontpage Server Extensions, TFTP, etc etc.

Conclusion
The API that Symantec is using is not on file open from the file system, but 
rather file open by the local desktop - this allows files to be saved and 
opened without being scanned.

Paul Young