<<< Date Index >>>     <<< Thread Index >>>

RE: Re: Symantec Antivirus client locally created scheduled scan is not running if the local console is logged off



Hi John,

Thank you for this important information.

Well, I've looked into this and you are perfectly
correct about the actual
behavior (and my apologies to Bone Machine - you were
right, buddy, and I
was wrong!):
Local scheduled scans are saved under
HKEY_CURRENT_USER\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom
Tasks

I didn't looked into it before because I simply
trusted Symantec. Big
mistake.

So, not only a user needs to log on for the scan to
run, but it HAVE to be a
SPECIFIC user, the one created the scan. Marvelous
piece of scheduling
software!

So this is not a vulnerability. Worst. It is by
design! Since version 7! And
they receive a customer alert about it, years ago,
from you, and did nothing
until now!
The problem is that most of the customers (so I
guess), are not like you
John, and they simply rely on what Symantec it telling
them:

>From version 9 client manual, page 38 - "Your computer
must be turned on and
Symantec AntiVirus Services must be
loaded when the scan is scheduled to take place. (By
default, Symantec
AntiVirus Services are loaded when you start your
computer.)"
True, but not all of the truth.
I didn't find anywhere in the manuals or in the
support site any mention
that the requirements for the scan to actually run are
completely different.
If the actual requirements were known - then I guess
SAV CE admins would
have used the GRC creator or any other workaround.
But you have to know the facts before you can act.

This issue makes me look at Symantec in a whole new
light.
The FIRST and most fundamental thing about security is
TRUST.
And when Symantec is KNOWINGLY misleading its
customers, it can't expect to
have their trust.
        

Regards,
 
Eitan Caspi
Israel
 
Blog (Hebrew): http://www.notes.co.il/eitan
Blog (English): http://eitancaspi.blogspot.com
 
"Technology is like sex. No Hands On - No Fun." (Eitan
Caspi)
 
Keep on rocking with "The Arrow" radio:
http://www.thearrow.co.uk
Direct listening (Using windows media player):
http://streams.interoutemediaservices.com/clients/chrysalis/9410.asx
 
 

-----Original Message-----
From: Scrimsher, John P [mailto:john.scrimsher@xxxxxx]

Sent: Wednesday, March 23, 2005 10:57 PM
To: eitancaspi@xxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Re: Symantec Antivirus client locally
created scheduled scan is
not running if the local console is logged off

Eitan

What you have described is an ongoing issue at least
since Version 7 of the
Symantec Corporate Edition antivirus product.  I have
personally talked with
Symantec about it as well.  However it does not pose
the security risk that
you appear to believe it does.  In my personal
opinion, it poses an
administrative headache at most. 

Symantec provides a way for you to schedule scans that
will run regardless
of the logged on state. They are called Administrative
Scans and are
configured from the Symantec System Center Console. 
You can also use the
GRC Creator tools found on the SAV CE CDs.  The scans
created as
"Administrative Scans" will be stored in the
HKEY_LOCAL_MACHINE registry
hive and will run as long as the computer is turned
on.

Scans created by users will be stored in the
HKEY_CURRENT_USER registry hive
since they are user specific settings, following
Microsoft's model for
registry stored settings.  This means that user
created settings such as
scheduled scans will be unloaded when the user logs
off of the system.

If you have a system that typically has no user logged
in such as a web
server, or file server, then you should create the
scans from the SSC, then
they will act as you wish.

I believe that the documentation doesn't mention this
because the
documentation is designed for central administration. 
An administrator
trying to manage 1000 clients or more doesn't want to
touch each individual
system to schedule the scan.  They want to use the
Management tools provided
such as SSC to schedule them, and this will work for
what you describe.

That said.  I have talked with Symantec about this
issue repeatedly since
version 7.  I am sure that it is on their development
path, but may not rank
as high as other features that their many customers
are asking for.

Do I want them to create a scan that is user editable
and runs regardless of
logged in user? YES.  It would save me some trouble
from users complaining
that the company set scan is set for the wrong time. 
It is possible to
create your own tool that modifies the scan schedule
that you could allow
users to run, but that is something that would not be
supported by Symantec.


John Scrimsher


This message is based on my opinions only and does not
in any way attempt to
reflect on the opinions or stance of my employer or
any other business or
individual.




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/