Vulnerability

    Norton (Symantec) Antivirus

Affected

    NAV 5.0

Description

    Michael W. Shaffer found following.   He has noticed what  appears
    to me to be a disturbing lapse in the scanning procedure of Norton
    Antivirus 5.0 Win32.  He  runs multiple virus scanning systems  at
    his site:

        - Trend Micro InterScan Virus Wall on SMTP gateways
        - NAV 5.0 on Windows workstations and file servers
        - Sophos antivirus on UNIX file and proxy servers

    While responding to a recent  complaint of infection from a  user,
    he was  told that  the customer  believed they  had been  infected
    with a copy of Win32  Fun Love contained in an  'embedded package'
    in an Excel  spreadsheet that she  had received from  a co-worker.
    While   investigating   the   complaint,   the   local    Exchange
    administrator  and  Michael  ran  several tests including emailing
    and  opening  Word  and  Excel  documents which had infected files
    embedded  in  them.   They  tested  this  with  plain and password
    protected files with the  infected files inserted by  simple 'drag
    and  drop'  from  Explorer  as  well as through 'Object Packager'.
    When  they  emailed  the  documents  with infected embedded files,
    they were  caught and  deleted without  exception by  InterScan at
    the  email  gateways.   We  were  somewhat  surprised to find that
    InterScan  even  detected  the   infected  content  in   *password
    protected* files.   The security mechanism  involved in the  Excel
    password protection scheme is not particularly robust, but we  did
    think that it involved at  least a minimal encryption of  the file
    which was protected.   We are assuming  that either the  files are
    not actually encrypted, the embedded content is not encrypted,  or
    (unlikely we think)  that ISVW is  actually cracking the  files by
    brute force  in order  to scan  them.   Perhaps someone else knows
    more about this...

    In any event, the alarming thing was that NAV 5.0 failed to detect
    *any*  of  the  infected  embedded  objects  when  the   enclosing
    documents  were  either  opened  or  scanned  manually.  NAV 'Auto
    Protect'  *did*  detect  the  malicious  content when the embedded
    object was either saved or launched from within the document,  but
    not  before.   If  this  lapse  can  be  confirmed it seems rather
    dangerous since it would appear  to represent a simple method  for
    transporting  and  storing  malicious  content  in a NAV protected
    environment.  In this case,  this sort of thing would  most likely
    be stopped  at the  email gateways  if it  was ever  mailed, but a
    huge  amount  of  data  moves  around  our  intranet  through file
    sharing, FTP, HTTP, and other means besides email.

    To test this, do the following:

        - Turn off NAV Auto Protect
        - Obtain a copy of some malware or the EICAR test pattern file
        - Open a new Word or Excel document
        - Drag  the  malware  from  an  Explorer  window into the  new
          document window
        - If prompted, pick 'copy here'
        - Close the document, right click on it, and select 'Scan with
          Norton AntiVirus'
        - You should see 'No viruses found in this scan'
        - Repeat the scan on the malware or pattern file
        - You will probably see  a notification that a virus  has been
          detected and/or cleaned
        - Close the document
        - Re-enable NAV Auto Protect
        - Launch the document again
        - Norton should not warn of any infection
        - If you attempt to  save or launch the infected  object, then
          Auto Protect should detect it and produce a warning

    NAV 7.01 Corporate Edition exhibits the same problem.  NAV 6.20.04
    successfully detected  the EICAR  test string  embedded in  a Word
    2000 document.

Solution

    Anti-Virus Test  Center at  the University  of Magdeburg, Germany,
    looked at the detection of  Norton AV 7.0 and everythink  looks OK
    for your types of  embedded files (XLS and  EXE).  However, it  is
    correct, that there  are massive problems  in some programs  which
    cannot detect  all embedded  objects etc.   These guys  test these
    things for about one  year now and you  could find the results  at
    their web page,  however, still as  XLS sheets and  DOC files only
    (free of  charge, of  course).   Divided into  client, server  and
    groupware products.  They tested  COM, DOC, EXE, PPT, VBS  and XLS
    files embedded  in DOC,  PPT, RTF,  SHS, XLS  files for  Office 97
    (Standard) and 2000 ("Web file format", MSO).  Their web:

        http://www.av-test.org

    Note that at least one report found NAV 7.01 vulneravle.