In-Reply-To: <20050315062647.21534.qmail@xxxxxxxxxxxxxxxxxxxxx> >Date: 15 Mar 2005 06:26:47 -0000 >Message-ID: <20050315062647.21534.qmail@xxxxxxxxxxxxxxxxxxxxx> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: <me3@xxxxxxxxxxxxxxx> >To: bugtraq@xxxxxxxxxxxxxxxxx >Subject: SAV9 Functionality Hole - misses virus files > > > >Product: Symantec AntiVirus Corporate Edition 9.0 > >Vulnerability: Files saved on the server but opened remotely via SMB are not scanned. > >SAV9 runs as a client - server application. The client receives updates, the server pushes them out. This has no bearing on the platforms on which they run, nor on scanning operation. The server could run on an NT4 workstation and the clients on your 2003 servers. > >When SAV9 is protecting the file server, and an unprotected client saves files to a share on the server, the files are not scanned. >When another unprotected client opens these files, they are not scanned by the server. >The server will only find these files during a scheduled scan. > >--------------snip----------------- >Conclusion >The API that Symantec is using is not on file open from the file system, but rather file open by the local desktop - this allows files to be saved and opened without being scanned. > >Paul Young -------------------------------end -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Response Symantec engineers throughly tested SAV9 in the configuration reported by the poster scanning all share files and could find no issues in any of our testing. SAV 9 is NOT vulnerable to the issues identified by the poster. Symantec contacted the poster and worked with him to review his configuration and environment to determine why he is seeing what he had reported. Symantec and the poster determined there was a configuration issue in the way the poster had his Real-Time Virus Scan options set. File types were being excluded from the scan that gave the erroneous impression that SAV9 was not scanning files that should have been scanned. To the contrary, SAV9 was operating exactly as it was configured to. Symantec encourages all customers to confirm configuration settings to ensure files are properly scanned. Symantec Product Security Team Symantec takes the security of our products seriously and adheres to responsible disclosure. Our response policies can be viewed at http://www.symantec.com/security. Symantec will work closely with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate any response deemed necessary. Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec products. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQjtI5ALsezw0Sg5hEQLGWgCgslSf5Rd37MAp/YvTF+UQP6s9ZVYAoKHj V/6DDzQwEnZxvgXoBb84X8DI =KZCz -----END PGP SIGNATURE-----
