I've just checked on the web and found no-one has responded to this issue
yet. This surprised me so I thought I'd take the time to check out for
myself what Michael has reported.

I am running NAV 5.02.00 for NT Workstation with the latest virus update and
I can confirm that it did NOT detect an embedded virus in a Word 2000
document, even when I opened the document with Auto-Protect enabled. I was
also able to save the document under a different name without any warning
from NAV. If I had tried to activate the embedded file it would have been
detected and I would have been protected but there is definitely a
vulnerability there!

I also emailed the document with the embedded file in it to my external
address - Auto-protect identified and denied access to the virus file itself
(it was in the same folder as the document) but NOT to the document in which
the file had been embedded. The email was sent without any warning. I was
unable to save the attachment from the Sent email, Auto-protect stepped in
and prevented access, which saved me but wouldn't save the person I sent it
to if they didn't have up-to-date antivirus protection.

However, when I sent it internally, NAV for Exchange immediately quarantined
the email and identified the virus. Some consolation I suppose.

So, we're protected at the email gateway for any embedded viruses coming IN
but we can send them out with no problem at all. We can pass around a file
with an embedded virus and we won't get any notification, even if we open
the document, until we try to open the embedded file. I guess you could say
that NAV is doing its job but I'd far rather it found the embedded file
before I tried to open it. We seem to be protected but it's a rather
last-minute protection.

Cutting it a little fine Symantec?!

Regards,
Howard Marsh
Computer Consultant
Network Administrator
Mobile: +61 0416 280 649
E-Mail: <mailto:hgmarshhwmc.com.au> or
<mailto:administratorgawb.qld.gov.au>

-----Original Message-----
From: Michael W. Shaffer [mailto:shafferLABS.AGILENT.COM]
Sent: Friday, 22 December 2000 11:14
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: NAV 5.0 and embedded files

Product: Norton (Symantec) Antivirus
Platform: Win32
Versions: 5.0
Problem: Files 'embedded' in Word and Excel documents appear to
               evade scanning.

I have noticed what appears to me to be a disturbing lapse in the
scanning procedure of Norton Antivirus 5.0 Win32. I am looking for
corroboration and confirmation or denial from anyone else who has
noticed this or can reproduce it. I also apologize if this is a known
issue (I could not find anything about it in the BUGTRAQ archives).

We run multiple virus scanning systems at our site:

- Trend Micro InterScan Virus Wall on SMTP gateways
- NAV 5.0 on Windows workstations and file servers
- Sophos antivirus on UNIX file and proxy servers

While responding to a recent complaint of infection from a user here,
I was told that the customer believed they had been infected with a
copy of Win32 Fun Love contained in an 'embedded package' in an Excel
spreadsheet that she had received from a co-worker. While investigating
the complaint, the local Exchange administrator and I ran several tests
including emailing and opening Word and Excel documents which had infected
files embedded in them. We tested this with plain and password protected
files with the infected files inserted by simple 'drag and drop' from
Explorer as well as through 'Object Packager'. When we emailed the
documents with infected embedded files, they were caught and deleted
without exception by InterScan at the email gateways. I was somewhat
surprised to find that InterScan even detected the infected content in
*password protected* files. I remember reading that the security mechanism
involved in the Excel password protection scheme is not particularly
robust, but I did think that it involved at least a minimal encryption of
the file which was protected. I am assuming that either the files are not
actually encrypted, the embedded content is not encrypted, or (unlikely
I think) that ISVW is actually cracking the files by brute force in order
to scan them. Perhaps someone else knows more about this than I.

In any event, the alarming thing was that NAV 5.0 failed to detect *any*
of the infected embedded objects when the enclosing documents were
either opened or scanned manually. NAV 'Auto Protect' *did* detect the
malicious content when the embedded object was either saved or launched
from within the document, but not before. If this lapse can be confirmed
it seems rather dangerous since it would appear to represent a simple
method for transporting and storing malicious content in a NAV protected
environment. In our case, this sort of thing would most likely be stopped
at the email gateways if it was ever mailed, but a huge amount of data
moves around our intranet through file sharing, FTP, HTTP, and other means
besides email.

To test this, do the following:

- Turn off NAV Auto Protect
- Obtain a copy of some malware or the EICAR test pattern file
- Open a new Word or Excel document
- Drag the malware from an Explorer window into the new document window
- If prompted, pick 'copy here'
- Close the document, right click on it, and select 'Scan with Norton
  AntiVirus'
- You should see 'No viruses found in this scan'
- Repeat the scan on the malware or pattern file
- You will probably see a notification that a virus has been detected
  and/or cleaned
- Close the document
- Re-enable NAV Auto Protect
- Launch the document again
- Norton should not warn of any infection
- If you attempt to save or launch the infected object, then Auto Protect
  should detect it and produce a warning

I have not tested this yet with NAV 7.0.

--
Michael W. Shaffer                     email: shafferlabs.agilent.com
Research Computing Services            phone: +1 650.485.2955
Agilent Laboratories, Palo Alto        fax:   +1 650.485.5568
----------------------------------------------------------------------
Public Key:         http://alcatraz.labs.agilent.com/shaffer/publickey
----------------------------------------------------------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
IMPORTANT: This e-mail may contain information that represents the views and opinions of the author and so may not necessarily reflect the views and opinions of the Gladstone Area Water Board as an organisation.
The information in this e-mail may be privileged and confidential. It is intended solely for the use of the addressee(s) named. Any unauthorised use of the e-mail or contents is expressly prohibited.
If you have received this e-mail in error, please advise us immediately by return email or by telephone and then delete it.
Gladstone Area Water Board, PO Box 466, 147 Goondoon Street, Gladstone QLD 4680, Australia.
ABN 88 409 667 181 phone: +61 7 4976 3000 fax: +61 7 4972 5632
E-Mail: gawbgawb.qld.gov.au  Web Site: www.gawb.qld.gov.au
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]