Full Disclosure mailing list archives

Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile

From: Sym Security <symsecurity () symantec com>
Date: Wed, 17 Sep 2003 14:17:42 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec's response to Issue #1: Symantec's Auto-Protect feature in Symantec 
AntiVirus for Handhelds 
scanner is designed to detect malicious code, in real time, as files are 
saved to a device. At this time the anticipated mechanism for transport to 
a Pocket PC is via the file system, which is scanned in real-time by 
Symantec AntiVirus for Handhelds: for malicious code to be loaded into 
memory, it would have to be downloaded/synchronized/saved to the device 
first, and it would first be detected by Auto-Protect in Symantec 
AntiVirus for Handhelds. 


Symantec's response to Issue #2: Symantec AntiVirus for Handhelds does have 
the ability to detect a byte 
stream anywhere in a file ? but the suggested scenario is altering the 
eicar string such that it no longer is an eicar string. Therefore Symantec 
AntiVirus for Handhelds does not recognize it, not because it can't match 
the string, but because the string itself has been modified. Additionally, 
the current eicar definition (as defined by eicar.org) concedes to 
efficiency and does not require detection at any point in any file.



On Tuesday 16 September 2003 07:59 pm, auto9115 () hushmail com wrote:

Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
Version tested: 3.0.0.194 (latest version)
Date: Sept. 13, 2003

Background: Viruses have started to show up on Personal Data Assistants
(PDAs) and handheld wireless devices. Although there are currently no
viruses in the wild that infect the Windows CE operating system, may
companies have released virus scanners for Windows Mobile (formerly
PocketPC). Examples include PC-cillin, Airscanner, F-secure, and McAfee.
Since McAfee was recently selected to go OEM on all new Dell Axim
handhelds, Symantec scrambled to get a product out. They have just released
their final version (available for $39.99 for a one year license), but
unfortunately, in the scramble to release it they apparently forgot to test
it to see if it is working ;)

Vulnerability #1: Real-time scanning appears to not work.

Symantec is currently the only AV company that claims to do real-time
scanning in the background on Windows CE. This claim gives them a
significant market advantage.  However, we can see that it is not true
real-time scanning. For example, if the scanner is active in memory and you
open the famous Eicar test virus (eicar.exe) into RAM, the scanner does not
detect it. It is not until you "save" a copy of a file with the Eicar to
your file system does Symantec detect it.  So it is not real-time scanning
of viral code, but rather just a simple monitor to activate a scan any time
a file is saved.  Therefore, this does not protect against hostile code
active in RAM.

Vulnerability #2: The Virus scanner does not appear to work at all!

Like any antivirus scanner, Symantec detects the Eicar test virus
(eicar.exe or eicar.txt). At least, at first glance it appears to detect
it. However, you can easily defeat this by adding a few bytes of random
text before or after the Eicar string.  For example, if you use a hex/text
editor to add a few random bytes of text before and after the string, then
Symantec won't detect it!  However, other AVs easily detect it, as they
should. An AV scanner should be able to detect a byte stream anywhere in
the file, but Symantec is easily bypassed with this rudimentary trick.

These exploits have not been submitted to Bugtraq, since that mailing
list is now owned by  Symantec, and they have more "selective" full
disclosure than this list.

Don Cheatham
Wireless Network Engineer



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


- -- 
- ---------------------------------------
Sym Security
Symantec Corporation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/aG0NEzASTADXhXERAiJNAKC6LABKTrWKFLe8LzrG/UJoH301lwCfV33x
CGMDhIkDN4S7yCMdeWS5arw=
=mSlh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile auto9115 (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Bojan Zdrnja (Sep 16)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile 3APA3A (Sep 17)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Sym Security (Sep 17)
- <Possible follow-ups>
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Matthew J. Brown (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Jason Sloderbeck (Sep 17)