Re: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)

[<secure () symantec com>]

In-Reply-To: <416F7ABB.8070502 () myrealshoebox com>

Symantec is aware of this posting. Symantec engineers are reviewing this issue.  If it is validated we will respond 
accordingly.  

Symantec takes the security of our products seriously.  We are a responsible disclosure organization.  We would like to 
work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem 
and coordinate a response.  

Please contact secure () symantec com concerning security issues with Symantec products.

Symantec Product Security
secure () symantec com

-----------------snip-------
> Date: Fri, 15 Oct 2004 03:22:35 -0400
> From: Daniel Milisic <dmilisic () myrealshoebox com>
> User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: full-disclosure () lists netsys com
> Cc: bugtraq () securityfocus com
> Subject: Norton AntiVirus 2004 Script Blocking Failure (Includes PoC and rant)
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Hi All,
>
> For the last couple of week's I've been hands-and-face into a project 
> that is based heavily on .HTA apps.  Basically, the VBScript embedded in 
> the HTA handles the front-end for some basic console-driven tools.  It 
> was also designed to be very simple as to work equally well under 
> 95+IE5.5 to Win2003.  Worked really nice... HOWEVER during the testing 
> phase on various platforms, I discovered my .HTA grinds to a halt on 
> machines running Norton AntiVirus 2004, thanks to the "Script Blocking" 
> feature.  A prompt or alert from the damn AV software was NOT something 
> I wanted my users to deal with.  So, I downloaded the TrialWare version 
> from Symantec to take a poke at whether or not I could work around it.
>
> Here's how that went...
>
> One 25MB Download and I was all set to start testing!  But wait, I 
> should LiveUpdate...
> LiveUpdate, 4MB -- REBOOT #1 (*mandatory* restart)
> LiveUpdate, 3MB -- REBOOT #2 (Prompt to restart with an option to continue)
> LiveUpdate, 1MB -- REBOOT #3 (Right now I am thinking oh you have got to 
> be <bleep>ing kidding me, THREE REBOOTS to get up-to-date AV installed!)
>
> Grisoft's AVG6, for comparison sake, is about 7MB in total I believe, 
> and requires a single reboot.  It doesn't have Script Blocking, but if 
> you're thoughtless enough to click on a .vbs e-mail attachment you 
> pretty much deserve what's coming to you ;)
>
> Once out of reboot hell, I fired up the NAV2004 console, an annoyingly 
> tacky HTA-ish type front-end with more bling-bling than functionality.  
> Over the last few years I've grown to really dislike NAV for this, and 
> not just because of the aesthetics.  On more than one occasion I'd see a 
> virus or spyware infected PC with NAV on it (user error not NAV's 
> fault); with the NAV console just a smoldering pile of script errors 
> after the malicious program hosed IE's rendering engine.  The NAV 
---------------snip------------------------