RE: Norton AV 2002 rewriting SMTP, breaking TLS

["Russell Mann" <tech () khouse org>]

> Hi all
>
> Sending this to bugtraq at the suggestion of a collegue on an ISP
> mailing list
> in this neck of the woods.
>
> Norton Antivirus 2002 appears to be transparently intercepting and
> rewriting SMTP transactions from desktops on which it is installed.  In
> particular, it intercepts the "STARTTLS" command and returns a bogus
> "500 Unsupported command." response.  The STARTTLS command is never sent
> to the SMTP server, and the response is not generated by the SMTP
> server.
>
> This has the effect of breaking encrypted SMTP sessions.  Email
> clients will
> issue the "STARTTLS" command, recieve the bogus error from NAV,
> and usually
> abort the sending action with an obscure error message, the exact
> nature of
> which can generally only be revealed by enabling SMTP transaction
> logging in
> the mail client, or using a packet sniffer to watch the conversation.


I saw this behavior in Norton AV 2000.  After searching their web site, I
found the information saying that they just plain don't support SSL
encrypted email.  You have to pick, auto-scan AV, or encrypted session.
They say that NAV scans files as soon as they're written to disk, so your
email will be scanned right away, just not scanned on the way in.

-Russell