|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Possible security issue in NAV2001 on Windows ME
From: Steve (steve
SECURESOLUTIONS.ORG)Date: Mon Oct 23 2000 - 12:06:31 CDT
- Next message: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Previous message: Steve: "Avirt Mail 4.x DoS"
- Next in thread: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Reply: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Overview:
> If you place a virus or other known malware in the c:\_RESTORE folder
> (apparently default on Windows ME) Norton Antivirus will not scan that
> folder in a "full-system" scan. This seems to be Symantec´s poor
> choice not
> to scan such files?
I seem to remember a thread about them not scanning the Recycled directory
as well. I am sure there are others.
>However if you manually scan C:\_RESTORE NAV
> will find
> the infected file but won´t be able to delete, repair nor quarantine the
> file? This could lead a malicious user to drop files into the
> restore folder
> - there´re a few obvious ways to exploit this. Eventually this
> can be tested
> by booting from a dos and copy a virus to c:\_RESTORE. The test will show
> that NAV2001 will indeed detect the virus but will be unable to
> do further.
When inside Windows ME, you are unable to copy/delete/move files into the
_RESTORE directory. I would be willing to bet a round of beers that there
is a registry key that controls this. So, you have to boot from a DOS boot
disk in order to gain access to the protected directory. Kind of kills the
chance of doing this remotely. Unless you managed to insert the copy
process into the boot sequence before Windows ME boots and then wait for the
user to reboot.
> This just might be a even bigger issue and could be Windows ME based and
> therefore leaving other AV-products vulnerable.
> Does anybody have further information regarding this possible
> security bug?
I think it is a Windows ME issue as it is the O/S that is protecting that
particular directory. Symantec probably does not scan that directory
because they know that they are unable to make changes to the directory if
required.
------------------------------------------------------------------------
Steve Manzuik Calgary, Alberta, Canada
Moderator - Win2K Security Advice (403)660-2997
Security Analyst - Bindview RAZOR Team
smanzuikrazor.bindview.com
http://razor.bindview.com
* - The opinions expressed in this email are mine, and mine alone. They - *
* - do not reflect those of my employer or anyone else for that matter. - *
------------------------------------------------------------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Previous message: Steve: "Avirt Mail 4.x DoS"
- Next in thread: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Reply: Paul L Schmehl: "Re: Possible security issue in NAV2001 on Windows ME"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]