Re: "Javier Sanchez" jsanchez157@hotmail.com 02/25/2002 11:14 AM, Symantec LiveUpdate Norton Antivirus Corporate Edition includes LiveUpdate. LiveUpdate stores Username and Password information in cleartext in the registry. Depending on your implementation, you may not need LiveUpdate installed at all on your clients. I brought this to Symantec's attention months ago. Since then a new version of LiveUpdate has been released. The information is still not encrypted. Any user with the client installed can run "regedit" search for "password" and viola! Here's a "fix": Paste the following into a .reg file (i.e. nav.reg) and push it out to your clients via login script or whatever: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\LiveUpdateSource] "Login"=- "Password"=- Symantec Response: Symantec's Norton AntiVirus Corporate Edition provides the administrator the ability to push LiveUpdate definitions out to individual clients or to configure each client with a read-only username and password access to an internal local LiveUpdate server to download local updates. While the local username and password were stored in the registry in the clear in LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username and password by default Symantec would like to emphasis that in all instances, the username and password pair is NOT connected with authentication to access Symantec's LiveUpdate server. The username and password in question is ONLY associated with the local network internal server. Symantec is aware of the issue addressed by Mr. Sanchez and it is not a LiveUpdate issue. Rather it is an internal server issue when passing the username and password to the client system that is affecting the password encryption causing the clear text exposure. This problem is currently being addressed and will be available for update as soon as it is fully tested. Symantec appreciates the concern of Mr. Sanchez and takes the security of our products very seriously. We would like to re-emphasize however, that this read-only username/password is for internal server access only. Additionally, if company policy is such that all updates are controlled at a centralized server and pushed out to client systems, the issue in question does not exist. Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec product names and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies
