Symantec Confirms AV Library Flaw, Promises Patch

the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh."

You know what this means -

[mtrisk]

Installing Symantec on your Mac makes it LESS secure than it was before.

How ironic...

Re:You know what this means -

This comes on top of the news that Symantec colluded with Sony to ensure that its DRM rootkits were left alone. Not a good year for Symantec -- incompetence and selling out your own customers to Sony.

Re:You know what this means -

[moro_666]

It's also pretty ironic that if you wouldn't have symantec installed, you'd be safe from the virus in the rar archives.

  Getting your machine infected because you have an antivirus installed is definitely a new thing, way to go Symantec :)

  ps. why is there no (or where is it ?) opensource antivirus software for windows ? sure it would be heavy work to keep it up with all the viruses. but with some support from some foundations it would be a good thing.

next thing coming along will drm software that prevents drm from protecting the content.... sony's turn ....

Re:You know what this means -

[ozmanjusri]

ps. why is there no (or where is it ?) opensource antivirus software for windows ?

http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q=opensource%20antivirus%20software%20for%20windo ws

Re:You know what this means -

[KiloByte]

Actually, anti-virus software is nothing but snake oil and a money grab these days.

Why?

Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall. This applies both to real Unix systems and to Windows. These days, most virus/worm/spyware install 10-20 "friends", each updated on a frame of several days. It's pretty hard to get all of these, considering that most anti-crapware software has a detection rate of 30% or less (not counting any _old_ pests).

Thus, as parent said, AV actually makes your system less secure, provided you or your OS follow at least some basic security rules; it adds no security while creating new holes on its own. Also, performance lost to the scanner wasting your memory and CPU is not free, either.

Of course, if you're unlucky enough to work in tech support for Windows machines, this analysis doesn't apply. But, if you can get the boxes locked down, don't even bother paying the AV protection racket.

Re:You know what this means -

Too bad clamwin is a peice of shit

ive seen the task tray icon application, while doing nothing else but showing a small clamwin icon in the corner, use ~500MB of memory in just 1 day (only saw this once, usually it only goes to 50-150mb, which is still insane for just a damn icon, nevermind the scanner which uses a ton itself and takes like 4 days to scan 80 gigs)

Re:You know what this means -

[Scarblac]

Actually, anti-virus software is nothing but snake oil and a money grab these days.

Why?

Once you get pwned, your system has been compromised. It's time for vetting any data, a thorough purge and reinstall.

Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...

Re:You know what this means -

[S3D]

Clam is not exactly for windows. Last time I've checked Win Clam was far behind Linux version. Free AVG seems a lot better for Windows, but not open sourced

Re:You know what this means -

[advocate_one]

Gee, that sounds serious, and these viruses don't tell you that they've just installed themselves. What someone should make then is some sort of software that scans your system for viruses and warns you if your system has been compromised...

what someone should make is a consumer grade operating system that's secure by design in the first place... ms-windows ISN'T...

Re:You know what this means -

[rapidweather]

I try to keep Norton AV up to date on my XP box, but I know that eventually the system will get bogged down or fowled up somehow. I'm just going along with the game.
Main user on this machine wants to use AOL, which supposedly has it's own scanners. I get a popup in the tooltray that says AOL is doing a quick check (of something), even if I am not logged in AOL.
Most of the time, I just run Kanotix or my own Knoppix remaster and forget about XP.
It is a ripoff in that newbies are told the system is secure when it might not be.
You know, with a new car, it either goes down the road or it don't. With XP/Norton, etc. on a pc who knows?

Re:You know what this means -

[CrazyJim1]

Its funny how many people think antivirus programs work. Someone's computer is compromised by a new virus, so its up to me to check it out. But then my mom looks over my shoulder and says,"Just run Anti-Virus and fix it." I get shocked looks when I say antivirus only stops at best 1% of viruses out there, never gets any of the new viruses stopped, and is mainly out just to grab your money off you.

Re:You know what this means -

[KiloByte]

antivirus only stops at best 1% of viruses out there

Actually, it may stop even 50-80% of viruses.
Old viruses, that is.

But, do you care if it can stop a virus that was written 5 years ago? It's only virii from the last 15mins/hour/day/week or at most month that really matter.

Re:You know what this means -

"antivirus only stops at best 1% of viruses out there,"

Proof, please?

Re:You know what this means -

[petermgreen]

several reasons

1: avg is free to use for home users (and small buisnesses can probablly get away with using it too even though they aren't supposed to)

2: most large corps probablly already have an antivirus contract.

so the only demand would be from users who run windows but don't wan't to use any other closed source software.

also afaict getting good detection rates accross a wide range of virus types is hard as is hooking into windows to do realtime scanning clam seems to mainly be used as a mailscanner is its virus db really any good for other types of virus?

Re:You know what this means -

[CastrTroy]

Clam AV is nice, everyone has already mentioned it. The problem is, is that it doesn't have active virus scanning, only passive. You have to tell it to scan the files, it doesn't scan every program you try to start. This has plusses and minusses. + is it doesn't slow your computer down. - is that you have to take the initiative to scan files yourself. This isn't so much of a problem in Linux, where you have to mark a file as executeable before actually executing it, but in windows, all the file needs is to have the proper extentension. If you accidentally double click, or even worse, have single click execution enable, and click the left button istead of the right button, then you could run a virus, quite easily by accident.

Re:You know what this means -

But, do you care if it can stop a virus that was written 5 years ago? It's only virii from the last 15mins/hour/day/week or at most month that really matter.

I call bullshit here. Of course 5 years old virus matter, if they are still vital and in circulation! You don't want to be owned, no matter by what.

Re:You know what this means -

[thebes]

And the 14 year old speaks! Wow, I was just waiting for that. So, tell me, when was the last time you designed and built an operating system?

Re:You know what this means -

It is secure by design, implementation and default settings on the other hand...

Re:You know what this means -

[advocate_one]

actually, considering I cut my programming teeth way back in the early 70's and had to punch my programmes in on good old fashioned punched cards... built my first personal computer the hard way by having to solder EVERY connection, and had to code it by typing in the raw op codes, I think I'm ably qualified to tell you young whippersnappers, especially those inexperienced whippersnappers that Microsoft insists on using, where things are wrong...

oh by the way, they have to pay me to use ms-windows... I use and code on Linux by personal choice. My daughters and my grandchildren also prefer Linux

Re:You know what this means -

[thebes]

And how many other people call it ms-windows? And grandpa, when are you going to tell us the story of how you had to pedal a generator bike so you could punch away at cards for an hour a day, huh? Tell us more bullshit, I meant stories!

Re:You know what this means -

[99BottlesOfBeerInMyF]

Actually, anti-virus software is nothing but snake oil and a money grab these days.

I guess that depends upon what you mean by "anti-virus." Server-side scanning is very useful, especially for e-mail servers and the like. Also, IDSs that include an AV component can be quite useful, discovering even zero-day worms on a network and shutting them down, while making a list of compromised machines. Client-side systems are less useful, I'll agree, but they do have their place in cleaning up old infections that are known about.

Re:You know what this means -

[grayNOISEeffect]

"why is there no (or where is it ?) opensource antivirus software for windows ?"

Well, because viruses are open source! And that would totally defeat their purpose! :P That would be like Symantec creating their own viruses to be detected only by their software! That would *never* happen!

Re:You know what this means -

[Low2000]

Your right in that once a system is pwned, it's very difficult to clean it without a reinstall of the OS... ... But think about it for a minute. What if you could, say, BLOCK the virus from ever being installed in the first place? System not pwned, anti virus did its job.

Re:You know what this means -

[Cromac]

AVG is good, but they started blocking it on Win 2003. If you want a free AV package for Win 2003 you have to look elsewhere, Avast seems like a good alternative.

Re:You know what this means -

[Oztun]

Getting viruses and spyware do not call for a complete reinstall unless you can do it or have someone who can. I work for a large PC in home repair company and I do over 10 virus and spyware cleanups a week. Very rarely do I ever have to reinstall systems. To clean viruses I charge $85-$127.50 depending on how long it takes ($85 an hour). A reinstall and getting all apps reinstalled and working usually starts at 3 hours or $255.

I agree with you for people like me and you who can reinstall our machines and don't get viruses. But for my customers with kids who usually have 5 viruses and over 100 spyware apps installed each cleanup, it doesn't make sense. They are just going to reinfect themselves and need protection.

The real problem is Norton and McAfee are crap. They are bloated and get easily corrupted. Very often someones machine is locking up or running super slow and just a reinstall of Norton fixes it. For my customers who don't surf the web other than a couple of sites and email I tell them don't use it.

Re:You know what this means -

If you've been around computers so long, what took you so long to get a slashdot ID?

Re:You know what this means -

[Anarke_Incarnate]

He can't give it to you right now. It got stuck as he tried to pull it out of his ass

Re:You know what this means -

[CFrankBernard]

But it's easy to install CalmAV on Windows. Cygwin will be installed and configured. I recommend configuring \clamav-devel\thirdparty\runclamd so it runs as a Windows service.

http://www.clamav.net/

Re:You know what this means -

[blueskies]

Wait, so are you suggesting the Windows was designed with security in mind? Please.

Even most MS apologists admit that it was not designed with security in mind. And the other thing that you don't get is that it is OK. It was a business decision made by MS and it made them very wealthy. When the market demands a secure OS in such a way that MS's fortune is tied to it, they will deliver it. Why would they offer it if they aren't going to be rewarded for it? But don't act like they already have a OS designed with security in mind.

Re:You know what this means -

[laffer1]

There isn't such a thing as a secure operating system. Windows is sometimes worse off than others, but both windows and linux distros suffer from the same disease. You see, bundling a bunch of crap in an OS causes it to be insecure. In the case of windows, IE and Outlook express seem to be big culprits. In the case of linux, people running redhat 9 without upgrading their browser, gnome, etc. Install redhat enterprise linux and then count the number of rpm's you need to install from their update service in 1 month. Compare that to Microsft and Apple. You'll notice that they are about the same! Why? Because all three companies have security holes and also release newer versions of existing features through their update service. Apple and Microsoft are smart enough to bundle several patches in 1 bundle to hide the numbers now. For example, most apple patches actually include at least 5 apps or libraries that get updated. Most commonly you see openssl, openssh, apache, and samba updates. That would effect many linux distros as well.

In microsoft's defense, at least they don't bundle a webserver in the home edition of their product anymore. Lamers don't need webservers on their machines.

its great that you use linux, but don't think that you are blindly secure now. It doesn't work that way. The only thing non windows users avoid is spyware and viruses and then its only volume of them. If linux or mac os really take off, they will be attacked too.

On a side note, if your experience is from the 70s on.. why the hell aren't you using a bsd or system v unix derivative? Hell i was born in the 70s and i have bsd and solaris boxes here.

Re:You know what this means -

Winpooch + ClamWin works better than AVG free for me, I now recommend it to clients who dont want to pay for anti-virus.

http://winpooch.sf.net/

Re:You know what this means -

actually, considering I cut my programming teeth way back in the early 70's and had to punch my programmes in on good old fashioned punched cards... built my first personal computer the hard way by having to solder EVERY connection, and had to code it by typing in the raw op codes, I think I'm ably qualified to tell you young whippersnappers, especially those inexperienced whippersnappers that Microsoft insists on using, where things are wrong...

Ah yes, the "I've been using computers for 100 years so I know all about computers TODAY" argument. When I did tech support people like you were the absolute worst customers because they think they know everything and actually know jack shit about modern operating systems.

Why would you think that using punch cards and a soldering iron gives you any insight at all into how Windows works? Great leaps of logic there old timer, you might want to look into getting checked for Alzheimers.

Why confess?

[Jotii]

Why did Symantec verify officially that this bug was present before fixing it? Now, evil RAR packages will probably be much more wide-spread than before.

Re:Why confess?

[wasudeo]

FTA,

Symantec didn't confess of their own accord. This vulnerability was publicised by a "security researcher" called Alex Wheeler.

Re:Why confess?

[ulysees]

Which is better, being blissfully ignorant of a problem or being warned and given the information to negate it ?

Re:Why confess?

[jazman]

Probably because people have just started seeing messages like (can't remember the exact wording from when it happened this morning) "Microsoft Run Time Library - A buffer overflow has just occurred and this program must now be terminated".

Bit difficult to hide when the MS RTL shops you very publicly.

Re:Why confess?

[Cally]

Yeah, Alex Wheeler, the security researcher, that's right. What's with the quotation marks?

Re:Why confess?

[deanj]

Some "people" don't "use" "quotation" marks "correctly".

That always "drives" me nuts.

Re:Why confess?

[slowbad]

Why did Symantec verify officially that this bug was present before fixing it?
And with it already being Christmas Eve in India, who's going to fix it quick?

--
Open that little WinTel laptop from Dell
under the Christmas tree on December 25th
and it is out-of-the-box safe and secure!

That's what you get for

[letdinosaursdie]

The Microsoft solution to the Microsoft solution to the Microsoft solution to the Microsoft solution to the...

so...

[manojar]

so, no product is secure enough or free from such bugs!

Inherent problems with AV software

[wombatmobile]

Windows AV software is inherently problematic because it has to use undocumented, unarchitected means to gain access to the OS to do it job.

This current vulnerability is only the most obvious type of risk with using AV software. More troublesome, and the reason we don't use AV software, is when the AV software itself breaks, the OS can also be affected. And when the AV software is broken and won't uninstall, the only alternative left is to reformat Windows and start again.

No thanks, AV software!

Re:Inherent problems with AV software

[MichaelSmith]

No thanks, AV software!

The exploit you really have to look out for is the one I send to you get a specific bit of information off your system, which sends the info to a maildrop and then deletes itself without ever calling attention to itself.

The viruses which propogate all over the place and get their footprints into antivirus databases are jokes, really.

Re:Inherent problems with AV software

[Zog+The+Undeniable]

I agree. Your best defence on the Internet is a hardware firewall router and a well-developed bullshit detector. Doesn't slow your computer down.

Re:Inherent problems with AV software

AV software doesn't have to use undocumented features, they use a File System Filter. And the part about "Formatting Windows" only make it sound like you're incompetent.

Re:Inherent problems with AV software

[MichaelSmith]

Your best defence on the Internet is a hardware firewall router

If you have windows clients your internet gateway (web proxy, email server) needs to be aware of the sort of content which can impact the clients.

I lost a job supplying a linux router to a company with windows clients because the linux box just couldn't adequately protect the workstations.

Its not fair, but what is?

Re:Inherent problems with AV software

[drsmithy]

Windows AV software is inherently problematic because it has to use undocumented, unarchitected means to gain access to the OS to do it job.

It does ?

Re:Inherent problems with AV software

[sosume]

Quote:
Windows AV software is inherently problematic because it has to use undocumented, unarchitected means to gain access to the OS to do it job.

From TFA:

The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh.

Hmmm read first then reply ;)

Re:Inherent problems with AV software

[wombatmobile]

And the part about "Formatting Windows" only make it sound like you're incompetent.

Give me a break, please. I just swapped over from CP/M.

Re:Inherent problems with AV software

[advocate_one]

so the best defence is to hide behind a hardware firewall router then... what's running on that firewall router??? bet you anything it's most likely Linux...

Re:Inherent problems with AV software

[Zog+The+Undeniable]

I confess I don't know. It's a Netgear DG834.

Re:Inherent problems with AV software

[advocate_one]

I confess I don't know. It's a Netgear DG834.

This product includes software code developed by third parties, including software code subject to the GNU General Public License ("GPL") or GNU Lesser General Public License ("LGPL"). As applicable, the terms of the GPL and LGPL, and information on obtaining access to the GPL Code and LGPL Code used in this product, are available to you at NETGEAR's Open Source Code Web page. The GPL Code and LGPL Code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, see the GPL Code and LGPL Code for this product and the terms of the GPL and LGPL. and the source code is available here...hmmm 32 megabytes of pure Linuxy 2.4.17 goodness + other assorted goodies...

Re:Inherent problems with AV software

[AIX-Hood]

Yeah, this is where MS ISA server comes in. It's working rather well for us. http://www.microsoft.com/isaserver/default.mspx

Re:Inherent problems with AV software

er no. It uses the APIs available from MS. It used to cost $1000 to get them, but they are available

Morons

The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products. Security products should do one thing well, the very concept of the all encompassing consumer 'security' application suite is flawed and yet almost every Windows desktop security product has additional 'features'.

Computer security is not availiable in click-wrapped form, it's about time that companies stopped marketing software as some cure-all for lack of user education.

Re:Morons

[I'm+Don+Giovanni]

The Windows worlds most widely deployed AV solution uses MSHtml to render it's GUI, that doesn't exactly inspire faith in symantec products.

Why not? Do you think Symantec is going to generate malware HTML to exploit a hole in IE? Get real. Symantec is in total control of the HTML that they generate for display by MSHtml.

Re:Morons

except for the fact that a trojan BHO or add-on will load when they use mshtml.dll (or whatever its called) which can then be used to easily break norton

Re:Morons

[jrockway]

What if a virus creates a file on the filesystem called ``Get an update''? If that's passed directly into an HTML viewer, then the user will see that he needs to get an update -- only to be infected with a virus.

Not that that's MSHTML's fault -- it would be Symantec (or whoever) for not writing good code. However, you should make it easy for yourself to write secure code, not hard. If it's easy, you have a better chance of getting it right.

Re:Morons

[jayloden]

Tell me about it. No more ability to scan in Safe Mode, no ability to run at all if the IE security settings are jacked up, and if mshtml is exploited, then Symantec's products are screwed.

Whose brilliant idea was it to make an HTML GUI for a *security* product using libraries from the system that are easily compromised by unrelated events (IE security levels)?

Right around the time they started with that was when I stopped recommending their products and started recommending AntiVir.

Symantec lost it a long time ago

Our info security dept have advised us NOT to use Symantec AV products on our home PCs because, in their experience, they just don't work very well against a lot of the current crop of malware. You might as well use AVG and save the money. Norton AV also gets deep into a PC and is difficult to uninstall cleanly.

Mhmm.

It's been out in the public scene for about three days now, wich in all likelyhood means that it's been available in closed groups for about two weeks to one month. Especially since it's a handy trojan exploit for zombie worms.

like it wasn't bad enought before

[phntm]

i'm a netadmin on an irc network and i've seen many zombie botnets, most of them are running "up-to-date" symantec antivirus products and feel safe while behind their backs their systems keep ddosing and hogging bandwith.
symantec doesn't make me feel safe for sure.

Avast

[DavidHOzAu]

http://www.avast.com/ Just one more reason to stick with the free (as in beer) stuff.

Re:Avast

[fruity_pebbles]

I like Avast!, and it has the coolest name of any AV software.

As day follows night

[FishandChips]

Any flaw like this is going to catch some people eventually, because they won't have updated their software for whatever reason. So that's bad news. The good news is that at least Symantec have acknowledged the problem and are taking steps to deal with it, rather than trying to hide things.

None of this is going to make me like Symantec and its dog-slow products, but it hardly seems that big a deal. If say an open-source outfit like clamav had announced a bug it would hardly merit headlines. Going with Windows means closed source all the way down the line and that's a case of like it, lump it or jump ship. It would be fairly surprising if there weren't quite a few bugs in all the Windows "security" products - that amounts to a lot of code by now. Still, they are being tackled

Re:As day follows night

[JSmooth]

Anyone currently using Norton is most likely receiving weekly or daily updates. How many companies do you know who try to update their AV software more than once a day? I work in many corporate and enterprise networks where they are pulling updates directly from Symantec's FTP server instead of waiting for LU in the hopes of avoiding the next big attack.

With that in mind, how hard will it be for Symantec to release a fix?

Any one who is not pulling updates at least weekly is completely vulnerable to a host of viruses that will make a "potential" exploit meaningless. Why write new code when I can infect an out of date system with slammer or zotob?

Say what you will but Symantec has perfected the inline automated update mechanism better than anyone.

buffer overflow in unrar?

[wolf550e]

Does anyone know if Symantec wrote their own unrar library that is insecure or have they used Roshal's free code which was probably known to be insecure and someone just discoverd they didn't bother to fix it before including in their products?

Re:buffer overflow in unrar?

[MrKevvy]

They appear to have written their own rather than using free RAR code, and I say this because they had a bug in previous incarnations of DEC2RAR.DLL (up to version 3.2.12.11) that I spent much effort trying to get them to fix almost exactly one year ago. It could not understand RAR archives, both standard and self-extracting, created by RAR versions 1.5x. The process and thus the antivirus would crash when trying to unpack them without any error being displayed or logged. This didn't affect Corporate Edition. In Dec. 2004 they released a LiveUpdate which updated DEC2RAR.DLL from 3.2.12.11 to 3.2.12.45

So perhaps this is all my fault. :^) However, the affected version of the DLL is 3.2.14.3, and the one that they updated to was 3.2.12.45, which is still current on my NAV2005.

Re:Who gives a shit

[TorKlingberg]

Are you serious? RAR is a compression file format. There is noting illegal about it. And this could just as well have happened with any file format.

Also, I don't think you will be so happy when you get an infected RAR file in email, and Symantec AV decides it'd better scan the attatchment before you even read the email.

What a coincidence!

What a coincidence? Someone just warned me about opening these files in my mail.

Meanwhile this will do
http://www.enertainmentmagazine.com/

Tell uniformed users what AV can & can't do

[Quirk]

I stopped using Symantec Products when I moved on from Windows 98 as a multimedia/game/web OS. Symatec products burrowed too deep into the OS, were impossible to elegantly uninstall, and, the Norton Tool set really wasn't as necessary as it once was.

I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.

My biggest beef is not with the AV makers, but, rather, with the retail sales people who sell AV software and tell unknowledgeable buyers that their system is now protected against all malware, because, superduper AV ware scans everything before you use it and ensures no malware can execute.

I try to explain to people that AV is alot like a flu shot. It's good enough to give you some protection from the bugs we know are out there but is ineffective against the new, bad stuff coming down the pike.

Re:Tell uniformed users what AV can & can't do

I figured Peter had unfolded his arms, dressed in a dinner jacket, and, gone out to celebrate having become one of the nouveau riche.

Peter Norton created wonderful software utilities. The Norton name had earned the respect of sysadmins everywhere for high-quality, well written software.

Long ago, the company was sold to Symantec. There is no relation between Peter Norton and Symantec's products that carry the Norton name, and there hasn't been for years.

Re:Tell uniformed users what AV can & can't do

[WryCoder]

If you think it's hard to uninstall Symantec, you should try uninstalling the stuff that McAfee sells.

Re:Tell uniformed users what AV can & can't do

[jp10558]

Well, how about heurestics - has anyone tested them in various AV programs? I know that NOD32 is supposed to have very effective heurestics. And what about plain old frequent updates, like KAV? I mean, 8 or more updates a day means you're never really 0d, and might get 0hr...

Wait wait wait...

[Spazholio]

Fuck this "buffer overflow" crap. You mean to tell me RAR actually stands for something?

Re:Wait wait wait...

I always thought it meant 'rarchive'

Re:Wait wait wait...

http://en.wikipedia.org/wiki/RAR

only version 10.x of Corporate Edition ...

So according to the Symantec advisory the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!

Re:only version 10.x of Corporate Edition ...

It's called Trend Micro OfficeScan Corporate Edition 7.0.

Re:only version 10.x of Corporate Edition ...

[loraksus]

Don't. 10 is shit - especially if you run slower computers. The resident scanner is a memory pig and slows machines down significantly. Also, if you have win2k boxes with office 2k, it breaks the install and constantly wants the users to insert the installation medium.
We had a ball of fun upgrading to 10.

Free AVG

[earthstar]

In this scenario,how reliable is AVG Antivirus from Grisoft? I've heard its good?
Can it be used as a alternative to symantec?

Re:Free AVG

[Barny]

Not at all, trend micro/mccafee/kesperski are the only real choices for windows boxes, pick the one you like/are fan of :)

Re:Free AVG

[PTS+Tech]

I switched to AVG exclusively on my machines at home; less footprint, less resources used. I feel about as safe as anyone can these days...

Re:Free AVG

i will concur, running AVG Free / Spybot S&D Free / ZoneAlarm Free for over 1.5 years and virus free!

Re:Free AVG

[jftitan]

Although I don't agree with your opinion about AVG, I do agree to all your alternative solutions you mentioned. I've been using all 4 (at the same time mind you....) and I have never received an email with a virus attached that I've opened and gotten a virus with all those installed.

    Now the getcha point is when I send email, everyone else tells me I'm sending viruses. Sheesh when will people learn, that what I send them is crap anyways.

Ok, the real reply. I do like your list of alternatives, and I seriously would add AVG to the list, AVG works great, and I recommend it to all my customers. Although I do carry a copy of each of the other, I just find AVG simpler for the average home user.

Re:Free AVG

[jftitan]

Since you posted this list...

  I run, AVG Free, MSAntiSpyware (I know, I know...), Sygate firewall FREE, and use logical email attachment & downloading guidelines. I have been virus free for over 4 years straight.

Now if only Maxtor & Hitachi HDDs didn't like to belly up on me on a yearly basis.

Re:Free AVG

[Barny]

A good indicator of the current standing of AV products (and it rings true from personal cleanup of around 10 virus infected machines a week, most of which have anti virus solutions installed) is http://overclockers.com/articles1260/

Interesting thing of note, trend micros online "housecall" virus scanner is now a fully java implemented scanner AND remover of viruss and adware. Finally a cross platform FREE quick scan that will find 99 out of 100 new virus infections :)

Also, are you refering to AVG "free" or their AVG pro? second product isn't that bad, but the free one, avoid it like the plague, the default scans it performs don't scan deep into compressed files and it doesn't have good configureable updateing (the key to most antivirus packs, of course, being regular updates).

Not had a chance to play with kasperski personally, know a few peeps who use it, and love it.

I myself run a good router/firewall host and don't use ANY anti virus suites, instead relying on trend online to scan incomming folders when i need it to, email defence done by yahoo! and half a brain about what to download/run/open.

Virus free useing this method for over 3 years now, and counting :)

Unnecessary detailed info

[earthstar]

"To date, Symantec has not had any reports of related exploits of this vulnerability."

Then why give all this:
"An attacker may craft a sub-block header to overwrite heap memory with user controlled file data to execute arbitrary code. Successful attack will yield system/root-level privileges and is available through e-mail without user interaction," he explained.

Thankfully,
To mitigate the risk before patches are ready, Symantec has posted an AntiVirus based protection signature to LiveUpdate to provide "heuristic detection" for potential exploits.

Solution (FTA) :Wheeler recommends that users disable the scanning of RAR compressed files, including RAR self-extracting files.

What happend to Symantec?

[walterbyrd]

Why does symantec suck so bad these days? I used to use Norton Utilities with MS-DOS, before windows 3.0 came out. I thought NU was great. I've been buying symantec systems works every year, except 2005. It started to suck too much. Now, I don't even use systemworks 2004, I prefer 2003.

I haven't seen squat for innovation in years. It is if they don't put any effort into it. It's just the same old product re-hashed, only it sucks worse.

Maybe symantec is just putting all of their effort into the enterprize sector?

Re:What happend to Symantec?

Why does symantec suck so bad these days?

Hmm, good question. Let's see what else you said:

I haven't seen squat for innovation in years. It is if they don't put any effort into it. It's just the same old product re-hashed, only it sucks worse.

Wow, sounds bad. Why wouldn't Symantec improve their product? Oh, wait, you also said:

I've been buying symantec systems works every year

Ah, I think you just answered your own question...

Old News

[Adelle]

Old News Baby http://www.oldnewsbaby.com/url/ef3a3f1c625f96914d0 42a876e3e85eb

Return of..

[Egregius]

Return of the virusses that activate when scanned over. Last time this happened was in..what? The eighties? I always wondered how it was possible for code to become active when scanned over, but now that I do, I really have to frown at this.

Re:Return of..

Yupp, or maybe it was early nineties. I seem to remember Thunderbyte getting hit by a sploit that did something along these lines. The flaw in Thunderbyte was that it tried to create a safe execution environment (think of it as a chroot jail in memory, sort of) where it actually executed the virus. Unfortunately the engine was flawed and virus writers figured out how to not only break free from the execution environment, but also how to sploited it for further propagation. The basic idea behind the execution environment was to provide a way to analyze encrypted viruses (that decrypt into memory). AFAIK AV's still do this eventhough it's very dangerous. Of cource, the Thunderbyte method isn't the same as unpacking rar's but it's somewhat similar if you think of it as reading and analyzing code that isn't supposed to be executed, period.

What surprises me the most is that antivirus vendors still use programming languages that are known to be dangerous in terms of security. The core parts of their engines should have been re-written in special purpose languages that are designed for the task. They can't afford mistakes as reputation (in theory) means everything in this particular market.

Anyways, I've been around for some time and as far as I'm concerned "the golden era" of anti-viruses is long over, back in the mid-nineties the fight between the AV's and virus writers was pretty even and it made sense to have an antivirus installed. The quality of AV's was also much, much higher as the best AV's tended to be small, fast and stayed out of the way from the user (yeah, this doesn't say much about the core functionality but detection was very good). The best one's were Dr. Solomon, AVP and F-Prot. McAfee and Norton were never really taken seriously as they sucked even then and they were publicly mocked by virus writers (who even went so far as to write detailed papers describing how to break/bypass/avoid their scanengines).

So who won? The vendors we knew sucked even ten years ago. What only thing we see now is McAfee and Norton, and I've even seen deployments of Norman Antivirus and guess who they are? Yupp, the company formerly known as Thunderbyte. Kaspersky is still around (they used to be AVP) but these days even their AV is overengineered and bloated, I doubt their technology is what it used to be. And then we have the newcomers to the market - Nod32 and AVG. Nod32 seems to keep a tight ship but they have yet to prove themselves in terms of quality, same goes for AVG which I also despise for the intrusive feature of injecting stupid messages like "This email has been scanned with AVG" or whatever. Oh yeah, I feel a lot safer being a "legit" spambot.

So what do I recommed? Nothing. Learn how to use your computer safely (don't do Warez, visit safe website only) and stop wasting your money. If you need an AV to "feel safe" then get a free-as-in-beer scanner that doesn't suck up your clock cycles. And, If you need to surf pr0n then buy a Mac or install Linux/BSD/Solaris/'Whatever is good enough to use'.

</nostalgia>

Re:Who gives a shit

YHBT. YHL. HAND.

Why AV Is Innefective from Malware POV

[TheUncleD]

Coding or I should say, 'Encoding has come a long ways.' - Crackers and bot programmers have become increasingly smarter, realizing how programs such as Norton scan through software programs that are "bots" are in order to detect ones which they consider viruses. To understand how the latest virus writers are avoiding detection, you must understand the concepts of randomization, encoding, compiling and packing.

A normal software program compiled has strings in it which can be matched when scanned through. It examines what are known as string literals. There are even some programs for certain compilers that exist to recreate source code from compiled programs but that is a tangent. What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.
Here's what the smart botpack coders are attempting to do and in many cases doing effectively: They understand that Norton can scan their compiled bot, once it knows the strings to look for inside of it, and release in its Liveupdate a way for all people infected to remove it. Given this, they must either constantly compete with Nortons LiveUpdate's or find another method. If they are savvy enough or greedy enough, they'll find a way to have coded a packer which encodes uniquely every time it packs. For more information on packing in relationship to viruses, its in the field of Anti-Virus Heuristics. A very well known packer is UPX which you can search for and find more about. Many modifications of this packer exist. Essentially a bot"packer" is packing their bots uniquely, obscuring the strings from norton with every pack, meaning every bot appears unique and cannot be identified from any other bot. Of course, bots would probably have unique names or be titled something normally running on a machine such as svchost.exe as a process. This is the common trick and until AntiVirus makers can either employ programmers who can outsmart the encoding schemes these packers are using or users smarten up, its a tough situation for all who download anything from an untrusted source (someone besides your grandmother - and even then!).

Re:Why AV Is Innefective from Malware POV

It examines what are known as string literals. ...

What we're dealing with here are encoded strings. If Norton knows how to match a program exactly based on certain strings it can match in the software, it can detect it in all cases, bot discovered, no more botpack.

Not quite. There are many more characteristics of a binary that AV programs can use to create a signature. I can't really discuss them specifically, but string literals are really low-hanging fruit. AV programs will frequently look for specific sections of the actual code, or certain parts of the binary that can't really be altered except by rewriting things by hand, fiddling with obscure compiler and linker settings, etc.

In fact, going into the binary and merely changing the embedded string literals such as version, author credits and so on --even randomly scrambling string literals such as the function names the trojan uses-- is unlikely to make it past any halfway decent scanning engine. Remember, the AV developers know these tricks too :)

Re:Why AV Is Innefective from Malware POV

[ArsenneLupin]

What if the program is encrypted and/or compressed with a proprietary algorithm? In that case, there isn't really much to match against, except the decryption code itself. However, this is such a small part of the overall program that it would be difficult to key on that part... which may itself be polymorphic to some degree. Or it may be an "official" decompressor such as UPX, and keying on it will raise too many false positives.

So the AV program is stuck with executing the decrypting or decompressing code and check the result. However, this is a very dangerous proposal, because if it isn't able to regain control after the decompression is done, it will effectively have been infected itself...

Re:Why AV Is Innefective from Malware POV

[Egregius]

What if we encrypted our virus with a random encryption, and only the decrypter could be scanned for? Well, if we did that, we'd be doing what viruswriters were doing late eighties/early nineties. What ever came of it? Anti-virus writers outsmarted the viruswriters, by actually scanning for the decoding pieces or patterns in the code that indicated certain types of encryption.

Now we're slightly further down the road, and we moved from encrypted to oligomorphic (weak polymorphism) to polymorhpic to metamorphic code. Metamorphic code is code that completely changes from generation to generation (read up on the MetaPHOR virus and metamorphism for more details). And yet..anti-virus writers still manage to detect these (with great difficulty however), and have been for quite a while. Metamorphic viruses are incredibly complex however, so you won't see them in the wild often because they're hard to create, and there's hardly any niche for viruses any more. Either your malware is a worm that understands open ports and/or mailing itself to others, or it's a internet-unaware virus that remains stuck on the hard disk.

Grand-grand-parent's post thus adds little to the discussion. What he speaks of is 1.5 decennia old, and has NOTHING to do with the current article: a well-known anti-virus vendor allowing malicious code-execution through a buffer-overflow. Mods: please mod his pointlessly bolded post 'overrated'. A '5' is dissapointingly high for this geek crowd.

Re:Who gives a shit

No, you have lost, you're just giving me time to kill =).

Oh boy....

[bzaks]

So you're telling me, that my ENTIRE college, with the world's stupidest tech department, is forced to rely on symantec corporate edition..... All because it's supposed to STOP the viruses. Will someone PLEASE tell me how this is helping now?

Re:Oh boy....

[harpslashdot]

Yup, the timing couldn't be better! A few nice days for the virus writers to send out some exploits over the holidays, workers comes back January 3 - PCs powered off over the break and not updated - and check their email first thing. Ought to be an *interesting* new year.

Re:Oh boy....

[bzaks]

I suppose the only way this could be better if the college also forced EVERYONE to have SP2 with their windows.... AND most don't have spyware.

ah... the dangers if using third party libraries.

[flowerp]

If I was to invent a new virus scanner right now, I would make sure all my decompression and scanning code runs in some managed environment, like a .NET/Mono runtime or as Java bytecode.

Christian

Re:Who gives a shit

[petermgreen]

i've occasionally been sent legitimate files by friends as rars but the truth is the main place where rar is seen is indeed warez.

who would wan't to release legitimate software in a form that can only be read by a single companies nagware tool when there are free alternatives arround that often give better compression? (pirates don't care because they can just crack winrar itself).

Deep Freeze

We don't have any virus protection on our windows boxes at the school I work at. We run Deep Freeze on all of them. No matter what happens to the computer during the day, rebooting will erase any changes made, and restore the PC to the desired state. No viruses. No spyware. No accidental system file deletions or corruptions. Sweet.

It has it's downsides, but mostly just inconveniences.

Any opinions on taking such an approach rather than using AV software?

Re:Deep Freeze

[Cecil]

Oh. So you're to blame for all the spam I get. Thanks, asshole.

Running a virus for 24 hours really sucks anyway. Also, I hope you never run into one that flashes your BIOS.

No updates for old versions!

[bitrot42]

From the Symantec advisory:

"Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version."

In the end, this could turn into a win for them. Everyone lagging behind on affected products will have to shell out for the upgrade.

I bet we won't see any of those "free after rebate" deals for a while...

-bitrot-

Re:No updates for old versions!

[durkster]

On a production mega corporation network with server counts in the thousands this isnt a walk in the park. I was sure when I checked which revisions were vulnerable ( that I care about ) and Corporate Edition 8 + 9 are listed as 'unaffected' Very curious. Although Corporate Edition 10 does have a publicly downloadable patch listed. Glad I am not in the middle of an upgrade to CE V10.

Webmail

[smallguy78]

Doesn't yahoo, or msn use Norton AV as its scanning engine? I imagine the same flaw exists unless the enterprise av engine is vastly different from the person av engine.

Re:ah... the dangers if using third party librarie

[Barny]

http://housecall.trendmicro.com/ allready done, java virus scanner, cross platform, removes as well as finds. Now if only it worked as resident protection... ahh well, now that would be wanting everything :)

Re:Who gives a shit

[Somegeek]

FYI,

There are a number of packages that can utilize .rar files. I am partial to ZipGenius:

http://www.zipgenius.it/index_eng.htm

Free (like drinking your friend's beer) and supports every compression type I have ever seen on a Windows platform. And no nagging or guilt!

re: You, sir, must not do Windows administration

[King_TJ]

I'll be the first to agree that most anti-virus software is a ripoff. But I've been steering folks clear of Symantec AV products for years now. Their stuff is bloated, buggy, and inefficient at doing the job - and insistence on going through "product activation" for retail and OEM products just make it that much less appealing.

That said, your statement that AV software is purely "snake oil"? I have to take exception to that one. I think it's arguable that *some* people wouldn't get enough value from AV software to make it worth using, but not usually.

First of all, if you're a Mac user, then no - please don't waste time with AV products like Virex or Symantec! Right now, they only find a few really dumb attempts at "trojan horse" viruses for OS X that are about as threatening as someone writing a DOS batch file containing "FORMAT C:" and emailing it to people, saying "double click this cool new program!" Their *real* reason for existance is SUPPOSED to be cleaning up viruses in email so you don't accidently become guilty of redistributing some virus you received on your Mac and infecting a Windows user on the other end. But the problems and performance hits these products give most Macs make them unacceptable.

Secondly, if you're a Windows user who doesn't have his/her PC connected to the net at all and generally just keep using the same software on it all the time (or only upgrade from purchased CD-ROM/DVD-ROM discs), you probably can skip the anti-virus software. (I mean, are you THAT concerned about people sticking infected floppy disks in your machine and screwing stuff up? If so, get the AV software - but otherwise, how is your machine ever going to become infected in the first place?)

But TYPICALLY, you use Anti-Virus software on a clean PC to try to KEEP it that way. Yeah, if you get spyware in, it's going to install 10-15 other pieces of malware and "helper viruses" that make it difficult to clean'remove. But an up-to-date realtime scanner should prevent a virus from running in the first place, assuming it came in via email or piggybacked onto some file you downloaded and tried to use. Spyware only messes things up if you allow it to install - so at least in theory, you should be able to keep it from being an issue by not installing software of unknown origin. The virus scanner is supposed to prevent the OTHER type of problem; infection by opening what was supposed to be a perfectly legitimate document or piece of software, except it had something bad secretly attached to it.

Symantec not much different than MS in behavior

[ispland]

I can't tell the two apart anymore, both MS and Symantec are behemouths that appear to cause many more problems for users than they actually appear to solve.

Not really a problem

[Low2000]

I don't have the bulletin at home and I'm not at work or I'd post a link but this isn't as bad as it sounds. The virus definitions as of 12/20 detect the malformed RAR files as a heuristics detection so as long as your definitions are 12/20 or newer, you should be mostly safe.

I used to think it was just pirate-speak..

You know? Like
Arrrr!! Rarrr!

Why is this worthy of posting?

[SwashbucklingCowboy]

Buffer overflows and other security issues are a dime a dozen. Just subscribe to Secunia's RSS feed to see that.

Ha ha ha ha!

Ha ha ha ha ha ha ha.

Disclaimer: I work for McAfee.

Jennifer Government!

This exact scenario was described in a pretty funny scene in the SF novel Jennifer Government. Hacker chick: "You put a lot of faith in your virus scanner...for a product with buffer overflow issues..."

Smitfraud-C and Needupdate.com

[HermanAB]

Every time I get to fix a machine, it is one that other people tried and couldn't fix. In all cases, the machine is running up to date Norton or Mcaffee scanners.

Consequently, the first thing i do, is uninstall all anti-virus crap, then reboot into safe mode and install my trusted utilities: Anti-Vir, Spybot S&D, Adaware and Hijackthis from a CDROM containing the latest updates.

Lately however, I have run into the Smitfraud-C piece of work. This thing requires a dedicated remover called Smitrem, otherwise it just keeps coming back a few minutes after removing it. This is an incredibly crafty piece of junk which seems to be made by the New Zealand company Spyaxe.

Oh, well, what the hell...

rar changes a lot

[petermgreen]

and whilst there is official unrar source (under a nasty don't compete with our compressor type license) availible last i checked it was not up to date with current versions of the rar format.

Works for me.

[PacketScan]

Further Proof to management that keeping attachments @ 5mb was a great idea.

Because BSD is dying

(see above)

Re:Because BSD is dying

[laffer1]

FUD.

More people ask questions on the freebsd mailing lists now than they did a few years back. The number one unix like os in the world is Mac OS X which many consider a BSD. (in terms of sales, installs) You may argue that linux is deployed more, but regardless there is a large BSD community with osx + freebsd + netbsd + openbsd + ... systems out there. Apple's hardware sales are in the top 5 often espeically with with laptops. Lets say apple sells 5 percent of all personal computers (laptop/desktop). Thats 5% of all new computers with a BSD on them. In my home there are currently 5 computers running a freebsd, openbsd or mac os x install. + 5 machines with bsd right there. There are 2 users with 5 machines of 7 on bsd. The number of bsd machines in my home is growing.

This includes Brightmail (at hotmail, msn, etc)

Symantec uses the same AV software in their "Brightmail" product
in use at ISPs such as Hotmail and Earthlink. Presumably, the correct
email message could bring down MSN.

Re:Return of.. (mod parent up)

[Egregius]

Wow, that took me back a bit in time. I sure do remember McAfee missing half the infections of a particular TravellerJack virus. But also how almost none of the big vendors knew how to remove the Form-virus from my bootsector. None, except...MSAV. Aka Microsoft Anti-Virus, which was huuuuugely outdated on my DOS 6.2 install.