Vulnerability Development mailing list archives
RE: Norton antivirus fails to scan files
From: garberoa () WellsFargo COM
Date: Thu, 11 Jul 2002 11:31:27 -0700
Bone Machine, I realized that I failed to mention that possibility a short time after I sent my reply yesterday. If the ACL does not contain the SYSTEM account or any groups that SYSTEM is a member of then it will fail as well. So even without an explicit deny, the read operation would still fail. If you have a resource that only has ACEs for one principal to the exclusion of others, then it is essentially off-limits (barring any creative use of the backup files right or a little defrag api wizardry). If you decide to do something like add an explicit Full Control ACE for SYSTEM, I'd be interested in hearing whether it fixes the problem or not. Best Regards, Andrew Garberoglio, MCSE, CISSP Wells Fargo Services, Internet Technology Services "Let us prepare to grapple with the ineffable itself, and see if we may not eff it after all" -Douglas Adams -----Original Message----- From: BoneMachine [mailto:BoneMachine () sdf lonestar org] Sent: Thursday, July 11, 2002 10:55 AM To: garberoa () WellsFargo COM Cc: bonemach () sdf lonestar org; vuln-dev () securityfocus com Subject: Re: Norton antivirus fails to scan files Actually, I've removed all other users from the ACL that have no business to my files. So there are no explicit denies. NAV is started as system account as defined in control panel->services->startup I have not yet found the time to look at logs so I cannot that the read fail occurs. It would be a method for a virus to keep itself rrom being scanned though. greetings Bone Machine -- "Hey! been trying to meet you" - The Pixies -- On Wed, 10 Jul 2002 18:06:04 -0700 garberoa () WellsFargo COM wrote:
BoneMachine, What do you mean by "a file has no Administrator read privileges"? Is the principal/group simply not present in the ACL for the object, or is an explicit deny set? Also, are you referring to the local administrators group, or the local administrator account (RID 500)? It matters. If, for instance, you had NAV running as NT AUTHORITY\SYSTEM and it attempted to open the file (ACLed with "deny read" set for the Local Administrators group) for a read operation, it will fail. A glance at the group
membership
for NT AUTHORITY\SYSTEM on an NT 4.0 or Win2k box reveals why: [User] = "NT AUTHORITY\SYSTEM" S-1-5-18 [Group 1] = "BUILTIN\Administrators" S-1-5-32-544 [Group 2] = "Everyone" S-1-1-0 [Group 3] = "NT AUTHORITY\Authenticated Users" S-1-5-11 If an explicit deny is set for the local admins group (that NT AUTHORITY\SYSTEM) is a member of, then the operation will fail. See
attached
zip archive for neato-keen screen shots of the read fail in action. If
this
is the problem you are encountering, which I suspect it is, you should be seeing audit failures in the security log that confirm this (you are auditing, aren't you?). It's a common misconception that the NT AUTHORITY\SYSTEM account doesn't have to play by the same rules as any other account when it comes to accessing ACLed resources. You can set explicit deny ACLs for the SYSTEM account on just about anything (File System objects, registry keys, system objects... get used to looking at blue screens with white letters if you decide to be silly with this functionality). HTH, Andrew Garberoglio, MCSE, CISSP Wells Fargo Services, Internet Technology Services "Let us prepare to grapple with the ineffable itself, and see if we may
not
eff it after all" -Douglas Adams <<cant_scan_me.zip>> -----Original Message----- From: BoneMachine [mailto:bonemach () sdf lonestar org] Sent: Wednesday, July 10, 2002 4:47 AM To: vuln-dev () securityfocus com Subject: Norton antivirus fails to scan files I have a problem with NAV corporate edition 7.6. When a file has no Administrator read privileges assigned on a Windows 2000 or Windows NT
host,
NAV fails to scan the file for viruses. This is a bit odd because the NAV client runs with system privileges and according to my NT knowledge this should be enough to read those files. I've searched on the Symantec knowledge base and all I found was this: Error: "Application Log is Full" upon startup of Norton AntiVirus
Corporate
Edition
http://service1.symantec.com/SUPPORT/ent-security.nsf/552ba2f7636bedf0882568
18006f78bf/304b3eb399b43ab588256a780056e5d7? I have also used the webform to post this issue to symantec about two
months
ago, but I had no response Also it is not possible to use an other account than administrator as the 'scan' account. So it is impossible to protect documents from accidental access by removing administrator privileges from a file (yes, I know that administrators can add themselfs to the ACL of a file, but that does
require
an extra action thus excluding accidental access) My thoughts are that there are two vulnerabilities to this behavior of NAV 1. A virus can protect itself from being scanned by removing administrator read privileges from itself and its copies. 2. The administrator needs read privileges on all files, files therefore cannot be protected from accidental access by administrators. Does anyone have the same experience ? Does anyone know of a virus that uses this technique to hide ? greetings Bone Machine -- "Hey! been trying to meet you" - The Pixies --
Current thread:
- Norton antivirus fails to scan files BoneMachine (Jul 10)
- Re: Norton antivirus fails to scan files Remington Winters (Jul 10)
- <Possible follow-ups>
- Re: Norton antivirus fails to scan files Kenneth Duran (Jul 10)
- Re: Norton antivirus fails to scan files garberoa (Jul 10)
- Re: Norton antivirus fails to scan files BoneMachine (Jul 11)
- RE: Norton antivirus fails to scan files garberoa (Jul 11)