RE: Vulnerability in Symantec Anti Virus Corporate Edition v9.x
Possible workaround:
Don't allow authenticated access to the LiveUpdate repository. If you allow
read-only anonymous access to the LiveUpdate respository, clients won't need
to store or use credentials. If they don't use credentials the logging issue
goes away.
If you use that method you also don't have to worry about whether the
Settings.LiveUpdate encrypts the saved credentials well enough (because
there won't be any credentials in there).
You would probably have to change both the clients and the server - clients
configured to authenticate may fail to access the anonymous repository.
Anonymous read-only access to LiveUpdate files is often OK because they are
publicly available files. The downside is that anyone can take a look at the
state of your LiveUpdate files and might use version or product information
against you in some way.
YMMV UYOJ