Vulnerability

    NAV

Affected

    NAV2001 on Win Me

Description

    Peter Kruse found following.  Durring a short test he accidentally
    stumbled upon a possible security problem with NAV.

    If you  place a  virus or  other known  malware in the c:\_RESTORE
    folder (apparently  default on  Windows ME)  Norton Antivirus will
    not scan that folder  in a "full-system" scan.   This seems to  be
    Symantec's poor  choice not  to scan  such files?   However if you
    manually  scan  C:\_RESTORE  NAV  will  find the infected file but
    won't be  able to  delete, repair  nor quarantine  the file?  This
    could lead a malicious user to drop files into the restore  folder
    - there're a  few obvious ways  to exploit this.   Eventually this
    can  be  tested  by  booting  from  a  dos  and  copy  a  virus to
    c:\_RESTORE.  The test will  show that NAV2001 will indeed  detect
    the virus but will be unable to do further.

    This just might  be a even  bigger issue and  could be Windows  ME
    based and therefore leaving other AV-products vulnerable.

Solution

    Norton  AntiVirus  2000  and  2001  under  Windows  ME exclude the
    c:\_Restore folder from the list of directories that are monitored
    for virus activity.   This is perceived  as a threat  because when
    this  directory  is  scanned,  Norton  AntiVirus  reports  that no
    viruses are found, even if a virus infected file had been archived
    in the c:\_Restore directory.

    What happens when the C:\_Restore folder is removed from the  list
    of exclusions?  Norton AntiVirus 2000 and 2001 will then scan  the
    c:\_Restore folder and alert the user if any virus infected  files
    have been found.  Even though Norton AntiVirus 2000 and 2001  will
    find these  viruses, they  will not  be able  to delete, repair or
    quarantine these  files.   As seen  in Microsoft's  knowledge base
    document found at

        http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP

        "Although some  anti-virus programs  may have  the ability  to
        work with files that have  been compressed and/or stored in  a
        .zip or .cab file format, the System Restore feature does  not
        permit these  utilities to  manipulate these  files within the
        data store.   The Data Store  is protected for  data integrity
        purposes, and the  System Restore feature  is the only  method
        you can use to  obtain access to the  data store.  Because  of
        this, the  anti-virus program  is unable  to remove  the virus
        from the file or files within the data store.  These files  in
        the data store are inactive and can only be used by the System
        Restore feature."

    Because  of  this  feature,  Norton  AntiVirus 2000 and 2001 can't
    delete,  repair  or  quarantine   virus  infected  files  in   the
    c:\_Restore directory.

    The suggested way to infect  this directory by booting with  a DOS
    bootable disk and copying  virus infected files to  this directory
    would require someone to be  able to have physical access  to Your
    computer.  Having  physical access to  my computer requires  human
    intervention,  and  is  not  something  a  virus  alone  could do.
    Antivirus software can't protect your system from someone who  has
    physical control over the computer.