Bugtraq mailing list archives
RE: Norton AV 2002 rewriting SMTP, breaking TLS
From: "Russell Mann" <tech () khouse org>
Date: Fri, 19 Jul 2002 10:00:05 -0700
Hi all Sending this to bugtraq at the suggestion of a collegue on an ISP mailing list in this neck of the woods. Norton Antivirus 2002 appears to be transparently intercepting and rewriting SMTP transactions from desktops on which it is installed. In particular, it intercepts the "STARTTLS" command and returns a bogus "500 Unsupported command." response. The STARTTLS command is never sent to the SMTP server, and the response is not generated by the SMTP server. This has the effect of breaking encrypted SMTP sessions. Email clients will issue the "STARTTLS" command, recieve the bogus error from NAV, and usually abort the sending action with an obscure error message, the exact nature of which can generally only be revealed by enabling SMTP transaction logging in the mail client, or using a packet sniffer to watch the conversation.
I saw this behavior in Norton AV 2000. After searching their web site, I found the information saying that they just plain don't support SSL encrypted email. You have to pick, auto-scan AV, or encrypted session. They say that NAV scans files as soon as they're written to disk, so your email will be scanned right away, just not scanned on the way in. -Russell
Current thread:
- Norton AV 2002 rewriting SMTP, breaking TLS Dale Clapperton (lists) (Jul 18)
- RE: Norton AV 2002 rewriting SMTP, breaking TLS Russell Mann (Jul 19)
- <Possible follow-ups>
- RE: Norton AV 2002 rewriting SMTP, breaking TLS Owen, Greg (Jul 19)
- Re: Norton AV 2002 rewriting SMTP, breaking TLS Adam Shostack (Jul 22)