Re: Norton antivirus fails to scan files

[BoneMachine <BoneMachine () sdf lonestar org>]

Actually, I've removed all other users from the ACL that have no business to my files. So there are no explicit denies.

NAV is started as system account as defined in control panel->services->startup

I have not yet found the time to look at logs so I cannot that the read fail occurs.

It would be a method for a virus to keep itself rrom being scanned though.

greetings 
Bone Machine

--
 
 "Hey! been trying to meet you" - The Pixies
 
--
 
 

On Wed, 10 Jul 2002 18:06:04 -0700
garberoa () WellsFargo COM wrote:

> BoneMachine,
>
> What do you mean by "a file has no Administrator read privileges"? Is the
> principal/group simply not present in the ACL for the object, or is an
> explicit deny set? Also, are you referring to the local administrators
> group, or the local administrator account (RID 500)? It matters. If, for
> instance, you had NAV running as NT AUTHORITY\SYSTEM and it attempted to
> open the file (ACLed with "deny read" set for the Local Administrators
> group) for a read operation, it will fail. A glance at the group membership
> for NT AUTHORITY\SYSTEM on an NT 4.0 or Win2k box reveals why:
>
> [User]     = "NT AUTHORITY\SYSTEM"  S-1-5-18
>
> [Group  1] = "BUILTIN\Administrators"  S-1-5-32-544
> [Group  2] = "Everyone"  S-1-1-0
> [Group  3] = "NT AUTHORITY\Authenticated Users"  S-1-5-11
>
> If an explicit deny is set for the local admins group (that NT
> AUTHORITY\SYSTEM) is a member of, then the operation will fail. See attached
> zip archive for neato-keen screen shots of the read fail in action. If this
> is the problem you are encountering, which I suspect it is, you should be
> seeing audit failures in the security log that confirm this (you are
> auditing, aren't you?).
>
> It's a common misconception that the NT AUTHORITY\SYSTEM account doesn't
> have to play by the same rules as any other account when it comes to
> accessing ACLed resources. You can set explicit deny ACLs for the SYSTEM
> account on just about anything (File System objects, registry keys, system
> objects... get used to looking at blue screens with white letters if you
> decide to be silly with this functionality).
>
>
> HTH, 
>
> Andrew Garberoglio, MCSE, CISSP
> Wells Fargo Services, Internet Technology Services
>
> "Let us prepare to grapple with the ineffable itself, and see if we may not
> eff it after all"
> -Douglas Adams
>
>  <<cant_scan_me.zip>> 
>
> -----Original Message-----
> From: BoneMachine [mailto:bonemach () sdf lonestar org]
> Sent: Wednesday, July 10, 2002 4:47 AM
> To: vuln-dev () securityfocus com
> Subject: Norton antivirus fails to scan files
>
>
> I have a problem with NAV corporate edition 7.6. When a file has no
> Administrator read privileges assigned on a Windows 2000 or Windows NT host,
> NAV fails to scan the file for viruses.
> This is a bit odd because the NAV client runs with system privileges and
> according to my NT knowledge this should be enough to read those files.
>
> I've searched on the Symantec knowledge base and all I found was this:
> Error: "Application Log is Full" upon startup of Norton AntiVirus Corporate
> Edition
> http://service1.symantec.com/SUPPORT/ent-security.nsf/552ba2f7636bedf0882568
> 18006f78bf/304b3eb399b43ab588256a780056e5d7?
>
> I have also used the webform to post this issue to symantec about two months
> ago, but I had no response
>
> Also it is not possible to use an other account than administrator as the
> 'scan' account. So it is impossible to protect documents from accidental
> access by removing administrator privileges from a file (yes, I know that
> administrators can add themselfs to the ACL of a file, but that does require
> an extra action thus excluding accidental access)
>
> My thoughts are that there are two vulnerabilities to this behavior of NAV
> 1. A virus can protect itself from being scanned by removing administrator
> read privileges from itself and its copies.
> 2. The administrator needs read privileges on all files, files therefore
> cannot be protected from accidental access by administrators.
>
> Does anyone have the same experience ? 
> Does anyone know of a virus that uses this technique to hide ?
>
> greetings
> Bone Machine
>
> --
>
> "Hey! been trying to meet you" - The Pixies
>
> --