|Security Advisory ID SYMSA1003|
Initial Publication Date:
24 Jul 2001
SecuriTeam's advisory references two issues. The first issue is a weak password scheme used with NAV's Quarantine that could be brute force decrypted to bypass the password protection or bypassed completely by modifying the appropriate .dat file. The second issue is the Norton AntiVirus AutoProtect service can be deactivated.
DTD: 24 July, 2001
Norton AntiVirus 2002 Beta for Windows
Norton AntiVirus 2002 beta Quarantine Password encryption - When Norton AntiVirus finds a file it can't repair; it safely isolates the file in a quarantine area. Quarantine is a repository for files that have been infected by viruses. Inside Quarantine, viruses are unable to spread into other areas of your computer. Preventing viruses from spreading safeguards your computer from further damage.
This allows the user to update their virus protection in order to fix the problem completely or to delete the suspect file. Norton AntiVirus' Quarantine can be password protected by the user/administrator. This is an option a user/administrator can make not Norton AntiVirus. The options in Quarantine allow a user to disable or enable certain features of Quarantine. Quarantine provides a safe environment where a user can effectively deal with virus infections on a file-by-file basis. This approach lets the user both delete non-essential files and save files that are critical to your work. Once inside the Quarantine, an infected file can be cleaned (if possible) or deleted permanently. And, if the user wishes, they can restore the cleaned file to its original location.
The SecuriTeam Advisory demonstrates a method used to recover the simple encrypted password scheme applied by Norton AntiVirus Quarantine. Knowing the password, an unauthorized user could modify any of the options set in the Quarantine UI. Further, password protection can be bypassed if the unauthorized user modifies the QuarOpts.dat file as indicated in the SecuriTeam advisory.
The primary purpose of Norton AntiVirus 2002 beta Quarantine password is to prevent inadvertent or intentional unauthorized changes to selected options, it is not to provide strong application security. The available options on the quarantine UI do not change or modify any form of Norton AntiVirus protection nor do they hold any important data. If the password option is selected, the user/administrator should protect their password as an enhancement to physical and personal security policies and features.
Norton AntiVirus 2002 beta real time and on demand scanners cannot be disabled through changes to the registry. Norton AntiVirus customers are completely safe. If a software tool were created to access the registry and modify any keys that would affect Norton AntiVirus components, a definition would be created to detect and stop that tool just as it would stop a virus. Further, Script Blocking prevents the script developed to automate the disable of AutoProtect from executing on the targeted system.
Unauthorized access to the system registry presents security concerns for any program(s), which use the registry to persist data. Protection of your system includes restricting physical access to your system and to administrative privileges. Registry security and Access Controls, depending on OS, should not be ignored. ACLs should be reviewed and adjusted in accordance to administrator preferences. Using windows defaults settings can lead to an unsecured registry.
Symantec appreciates the support of Daniel Wischnewski and Beyond Security's SecuriTeam in identifying areas of concern so we can quickly address them
Beyond-Security's SecuriTeam.com Security Advisory, Norton AntiVirus 2002 Security Flaws, dtd: 17/7/2001, http://www.securiteam.com/windowsntfocus/5GP0C2A4UO.html as reported by Daniel Wischnewski.