TUCoPS :: Malware :: nai.txt

Network Associates VirusScan NT (formerly McAfee VirusScan NT) version 4.0.2 does not properly update


                          Nomad Mobile Research Centre
                                 A D V I S O R Y
                        Simple Nomad [thegnome@nmrc.org]

                              Platform : Microsoft NT 4.0
                           Application : Network Associates' VirusScan NT
                              Severity : Medium


Network Associates VirusScan NT (formerly McAfee VirusScan NT) version 
4.0.2 does not properly update virus signature definition files under
certain conditions, and will falsely report it is up to date during manual
updates. This impacts both NT Server and Workstation.

Tested configuration

Microsoft NT Server 4.0 w/SP3, Network Associates VirusScan NT version 

Microsoft NT Workstation 4.0 w/SP3 and SP4, Network Associates VirusScan
NT version 4.0.2.

Pre-4.0.2 versions of VirusScan NT were not tested, nor were versions for
other platforms, such as Windows 95 or 98.

Bug(s) report

Network Associates VirusScan NT has a feature that allows for a user to
update the virus definitions file via ftp. This task can also be automated
via the VirusScan NT AntiVirus Console. In version 4.0.2, the scan engine
holds open the main definition file scan.dat (located in the VirusScan NT
directory) during the ftp process, preventing the file from being
overwritten with the new version. The engine itself apparently does not
check return codes and will not notify the user that the file was not
updated. Worse, the Application Log is updated as if the install completed
properly, therefore subsequent downloads of new definition files will not
update the scan.dat properly. Subsequent manual downloads will in fact
tell you that you already have the latest definition file when in fact you
do not.

NMRC was not able to make this error occur consistently, and we strongly
suspect that a race condition exists where the updates will occasionally
work, but we were able to duplicate the error condition most of the time.
Testing was done in NMRC labs, and at two corporate locations.

To verify the proper definitions file, check the About box from the
AntiVirus Console program for the latest date next to the text "Created
On". If after a manual or automatic update this date does not change, your
definitions have not been properly updated.

The implication here is that the administrator or end user believes their
system is protected when it in fact is not.


Upgrade to Network Associates VirusScan NT version 4.0.3a, which resolves 
the problem. Alternately, disable the VirusScan engine, wait several
seconds for the operating system to close the file, and manually copy the
definition files into the VirusScan NT directory. This second method will
place your log files out of sync with the definition files until the next
manual or automatic download, but this should not impact functionality.

It is recommended that you disable 4.0.2 (or even uninstall) before
performing an upgrade to 4.0.3a due to other problems we encountered
during the testing of this product, such as being unable to properly stop
the VirusScan services before upgrading. Once again, these problems were
inconsistent but happened several times on several systems.

One further note, in a restricted NT workstation environment, it is next
to impossible to have the user upgrade the product themselves. Local admin
rights are required to make this happen, and this will require a visit
from an individual with adequate rights to the workstation to complete the


Network Associates has been notified and recommend the upgrade to 4.0.3a 
to resolve the problem. This problem was discovered while investigating
why upgraded machines were still infected by various Microsoft Word macro
virii after they had been upgraded to the latest definition files.

Network Associates can be reached at http://www.nai.com/. Unfortunately
at the time of this writing the ftp location of the 4.x definition files
was not present. It's supposed to be at 
ftp://ftp.nai.com/pub/antivirus/update/4.x but had disappeared from the


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH