Bugtraq mailing list archives
Possible security issue in NAV2001 on Windows ME
From: Bill Sobel <bsobel () SYMANTEC COM>
Date: Tue, 24 Oct 2000 18:30:36 -0700
This post is Symantec's response to Peter Kruse's 10/22/2000 post. Bill Sobel Symantec Bugnet Post If you place a virus or other known malware in the c:\_RESTORE folder (apparently default on Windows ME) Norton Antivirus will not scan that folder in a "full-system" scan. This seems to be Symantec´s poor choice not to scan such files? However if you manually scan C:\_RESTORE NAV will find the infected file but won´t be able to delete, repair nor quarantine the file? This could lead a malicious user to drop files into the restore folder * there´re a few obvious ways to exploit this. Eventually this can be tested by booting from a dos and copy a virus to c:\_RESTORE. The test will show that NAV2001 will indeed detect the virus but will be unable to do further. Symantec Response: Norton AntiVirus 2000 and 2001 under Windows ME exclude the c:\_Restore folder from the list of directories that are monitored for virus activity. This is perceived as a threat because when this directory is scanned, Norton AntiVirus reports that no viruses are found, even if a virus infected file had been archived in the c:\_Restore directory. What happens when the C:\_Restore folder is removed from the list of exclusions? Norton AntiVirus 2000 and 2001 will then scan the c:\_Restore folder and alert the user if any virus infected files have been found. Even though Norton AntiVirus 2000 and 2001 will find these viruses, they will not be able to delete, repair or quarantine these files. As seen in Microsoft's knowledge base document found at http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP, "Although some anti-virus programs may have the ability to work with files that have been compressed and/or stored in a .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The Data Store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the anti-virus program is unable to remove the virus from the file or files within the data store. These files in the data store are inactive and can only be used by the System Restore feature." Because of this feature, Norton AntiVirus 2000 and 2001can't delete, repair or quarantine virus infected files in the c:\_Restore directory. Can a virus infected file archived in the C:\_Restore directory infect my system? The suggested way to infect this directory by booting with a DOS bootable disk and copying virus infected files to this directory would require someone to be able to have physical access to my computer. Having physical access to my computer requires human intervention, and is not something a virus alone could do. Antivirus software can't protect your system from someone who has physical control over the computer. Laura Motoaki Yamamura 10/23/2000 11:07 PM To: "Bill Sobel" <bsobel () symantec com> cc: <myamamura () symantec com>, "Vincent Weafer" <vweafer () symantec com>, <tmmather () symantec com>, <Lgarcia () symantec com>, <asanjabi () symantec com>, Francia Saplala/SanMon/Cal/SYMANTEC@SYMANTEC, Yunsun Wee/SanMon/Cal/SYMANTEC@SYMANTEC, Susan Murdico/SanMon/Cal/SYMANTEC@SYMANTEC, Deirdre Allingham/SanMon/Cal/SYMANTEC@SYMANTEC, Patrick Martin/SanMon/Cal/SYMANTEC@Symantec Subject: Need response from CPD asap (Document link: Laura Garcia-Manrique) Laura, Can I presume your team will assemble the official response for this by Tuesday(Oct 24)? If not, we need to discuss this quickly because I want to make sure to take care of this quickly. Its public information and needs to be addressed quickly. I'm happy to help brain storm on the reply if you need help. Bill, I mentioned the inability to execute a file from _RESTORE to address the comment he made about hiding the malicious code in that folder.
This could lead a malicious user to drop files into the restore folder - there´re a few obvious ways to exploit this.
In order to use that malware, the malware will need to move it out of there (at which point NAV will detect it). Can you let me know if their is any obvious way to get around this? (I'm hoping there is not) I do understand that reinfection that will occur if you rollback. I think its like taking a backup of the system in an infected state. Although its bad to include known infections in backup, maybe (this sounds like a bad excuse) it could be used if we have a false positive or bad repair (similar to keeping a backup copy of pre-repaired files). I think it was a concious decision made by the NAV2001 team to implement it this way until they can implement a better way to do this. Anyways, I will try to chat with NAV2001 team to make sure we can responds to this post before it blows up. - Moto "Bill Sobel" <bsobel () symantec com> on 10/23/2000 04:28:19 PM To: <myamamura () symantec com> cc: "Vincent Weafer" <vweafer () symantec com>, <tmmather () symantec com>, <Lgarcia () symantec com>, <asanjabi () symantec com> Subject: RE: FW: Message sent to Security () SYMANTEC COM Update, Bugtraq sent it out, and it's up on SecurityFocus. Probably need to get an official response ready. Moto, one more thing, apparently if you manually scan the _RESTORE folder we can't repair or delete the file. Your infected, but your stuck with it and you'll get reinfected if the user has to do a restore which pulls that file out (so it doesn't matter if you can run code from that dir or not for this case) Bill -----Original Message----- From: myamamura () symantec com [mailto:myamamura () symantec com] Sent: Monday, October 23, 2000 11:30 AM To: Bill Sobel Cc: myamamura () symantec com; Vincent Weafer; tmmather () symantec com; scott.martin () symantec com; Lgarcia () symantec com; asanjabi () symantec com Subject: RE: FW: Message sent to Security () SYMANTEC COM Thanks for that info. I was aware of this rollback feature, but was not aware of the directory name - I need to study a bit more on new OS - learning something everyday :-). I think it had to do with repairing viruses. When viruses are repaired, the original unrepaired file will automatically be sent to restore directory by the OS. Ideally, we want to prevent that from happening to keep restore clean (probably need to hook somewhere inside of restore feature and repair files being sent into restore). But since that feature was not possible to implement in the NAV2001 timeframe, the product avoided scanning restore to avoid confusion by novice users. This way, the user will clean a virus and not detect it again (in the restore). If NAV2001 scanned the restore, they would think they are still infected. Lastly, I thought it was not possible to execute programs from inside restore directory (if true, this should eliminate a trojan being hidden). Anyways, I think Ali or Laura (CPD) can validate my answer and also keep you any other updates they may have. - Moto - Moto "Bill Sobel" <bsobel () symantec com> on 2000/10/23 11:01:29 To: <myamamura () symantec com> cc: "Vincent Weafer" <vweafer () symantec com>, <tmmather () symantec com>, <scott.martin () symantec com>, <Lgarcia () symantec com> Subject: RE: FW: Message sent to Security () SYMANTEC COM Moto, I'm pretty sure he's talking about the 'restore' folder, not the recycle bin. The restore folder is where ME stores data that is used when the system needs to be rolled back. As the poster says, installing an infected item here will cause an infection if/when a rollback later occurs. Bill -----Original Message----- From: myamamura () symantec com [mailto:myamamura () symantec com] Sent: Monday, October 23, 2000 10:53 AM To: Bill Sobel Cc: Motoaki Yamamura; Vincent Weafer; tmmather () symantec com; scott.martin () symantec com; Lgarcia () symantec com Subject: Re: FW: Message sent to Security () SYMANTEC COM I presume he is talking about "recycled" folder (trash can) rather than "restore". I recall a similar issue being raised in the past about this and I can't recall the answer to it. Anyways, this code is independent of the scanning engine and is in the product code. I suggest we talk with Laura Garcia about the reason why they chose to do this. Laura, Can you comment on this? - Moto "Bill Sobel" <bsobel () symantec com> on 2000/10/22 11:48:18 To: "Motoaki Yamamura" <myamamura () symantec com>, "Vincent Weafer" <vweafer () symantec com> cc: <tmmather () symantec com>, <scott.martin () symantec com> Subject: FW: Message sent to Security () SYMANTEC COM Vincent, Moto, This came in from external, can you review and comment (and let me know if we or SARC will respond to the poster)? Bill -----Original Message----- From: Security () symantec com [mailto:Security () symantec com] Sent: Sunday, October 22, 2000 8:36 AM To: tmmather () symantec com; scott.martin () symantec com; bsobel () symantec com Subject: Message sent to Security () SYMANTEC COM If you wish to reply to this message as "Security () SYMANTEC COM" to the Internet, please be sure to switch to the Security/Cupertino/Cal/SYMANTEC notes ID before replying. "Peter Kruse" <peter.kruse () it dk> on 10/22/2000 08:20:20 AM Please respond to <peter.kruse () it dk> To: Security/Cupertino/Cal/SYMANTEC@SYMANTEC cc: Subject: Possible security bug in Norton Antivirus 2001 running on Windows ME Yesterday I received my new laptop with a default installation of Microsoft Windows ME and the Norton Antivirus 2001 product. Durring a short test I accidentally stumbled upon a possible security problem with Norton Antivirus. Overview: If you place a virus or other known malware in the c:\_RESTORE folder (apparently default on Windows ME) Norton Antivirus will not scan that folder in a "full-system" scan. This seems to be Symantec´s poor choice not to scan such files? However if you manually scan C:\_RESTORE NAV will find the infected file but won´t be able to delete, repair nor quarantine the file? This could lead a malicious user to drop files into the restore folder - there´re a few obvious ways to exploit this. This just be a even bigger issue and could be Windows ME based and therefore involve leave even more AV-products vulnerable. Does anybody have furher information regarding this possible security bug? Kind regards Peter Kruse www.virus112.com (See attached file: winmail.dat) (See attached file: winmail.dat)
Current thread:
- Possible security issue in NAV2001 on Windows ME Peter Kruse (Oct 24)
- <Possible follow-ups>
- Possible security issue in NAV2001 on Windows ME Bill Sobel (Oct 25)