LARRY
06-28-2003, 09:16 AM
Subject: Symantec Antivirus8 and corrupted profiles
From: Scott Millington (medicb4@haapis.net)
Subject: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-24 15:20:44 PST
Greetings!
I have been lurking here a while and was going to keep lurking but
something is happening that forces me out of hiding (I hope this is
the right group since the most applicable groups I have access to are
dead).
SAV8 (Formerly known as NortonAntivirus) has a facility called Live
Update. There were apparently corrupted virus definition files dated
earlier than "2003-06-20 rev 4" (the corrupted file was published
after the 18th) cause the Symantec Antivirus Client to stop
functioning but it does not give any warnings except a discreet
exclamation point in the task bar.
Oddly enough there isn't anything about this on symantec.com but all
clients (Globally) and about 75% of servers were compromised requiring
peak time reparation (and the trend is growing if the NOC's are to be
believed).
Of course my advice is that *everyone* who uses SAV8 (Formerly known
as NortonAntivirus) should immediately verify they are properly
protected.
Scott Millington see scott @
http://www.users.bigpond.com/rdoolan/Pix/earringsguy.jpg
***
I want to do something more relaxing -- like dismantle live nuclear
weapons. - White House press secretary Ari Fleischer
Post a follow-up to this message
Message 2 in thread
From: Nelson Tam (it@sankyu.com.hk)
Subject: Re: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-24 19:12:04 PST
YES!! It happened on my company's computer last Saturday.!
When I installed the NAV8 Corporate Edition on one of the PCs, the NAV
stops
running. I tried to scan the computer, but it quited. I thought that
was a
viurs or something. Later, maybe 10 minutes or so, NAV came back
normal!
(and it's normal now, I just checked.)
I thought that this block-out period is normal while updating virus
definition. But now Scott noticed the same symptom, I think Norton
should
give us a reason.
Anyone with the same experience? Let's share!
Post a follow-up to this message
Message 3 in thread
From: Scott Millington (medicb4@haapis.net)
Subject: Re: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-25 14:20:42 PST
YES!! It happened on my company's computer last Saturday.!
Apparently the corrupted file was spread on Thursday.
When I installed the NAV8 Corporate Edition on one of the PCs, the
NAV stopsrunning. I tried to scan the computer, but it quited. I thought
that was aviurs or something. Later, maybe 10 minutes or so, NAV came back
normal!(and it's normal now, I just checked.)
I have no idea what the deal is with your system but after a bit of
digging I found out the details of the problem I have had to deal with
FYI the problems are only for large corporations and other users of a
"fast track" virus profile distribution option.
There are apparently 2 ways of getting profiles...
1) IMMEDIATE distribution: where the files are FTPd out "AS IS" and
the customer is responsible for all testing and verifications (what
many corporations do as is evidenced by this - cleanup still ongoing).
2) Consumer LiveUpdate: What y'all probably have is updated once a
week unless something major occurs. This means that the problems I
have will be fixed by the time it is released.
I have gotten confirmed that 2003-06-18 rev 6 is Symantec's approved
central distribution and fully OK. The profile 2003-06-24 rev 4 is
the "fast track version" and not generally available.
In other words I blew a false alarm based on mixing information from
my Corporate network and the Internet. They are often mutually
exclusive but even more so in this case.
That being said although keeping AV up to date is always good don't
automatically accept the updates...they can be corrupted either by
human error or malicious intent.
EXECUTIVE SUMMARY
The short answer is that the "as is" virus definitions were not tested
and verified correctly (assuming it was done at all).
- There is no problem at all for home users since they didn't get the
profilesin the first place.
- The corrupted version has been withdrawn so no one else should be
infected.
- There is a fix available in the event someone did get the bad
profile...
As for me...I did not have to do any of the patching of our servers
(although shutting off unplanned in the middle of a weekday causes
everyone to report "Net Problems") and clients need a simple reboot to
get the login scripted update (the script was apparently problematic -
but also not mine).
I now return you to your regularly scheduled programming...had this
been a real emergency --------------
Scott
SHTI
From: Scott Millington (medicb4@haapis.net)
Subject: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-24 15:20:44 PST
Greetings!
I have been lurking here a while and was going to keep lurking but
something is happening that forces me out of hiding (I hope this is
the right group since the most applicable groups I have access to are
dead).
SAV8 (Formerly known as NortonAntivirus) has a facility called Live
Update. There were apparently corrupted virus definition files dated
earlier than "2003-06-20 rev 4" (the corrupted file was published
after the 18th) cause the Symantec Antivirus Client to stop
functioning but it does not give any warnings except a discreet
exclamation point in the task bar.
Oddly enough there isn't anything about this on symantec.com but all
clients (Globally) and about 75% of servers were compromised requiring
peak time reparation (and the trend is growing if the NOC's are to be
believed).
Of course my advice is that *everyone* who uses SAV8 (Formerly known
as NortonAntivirus) should immediately verify they are properly
protected.
Scott Millington see scott @
http://www.users.bigpond.com/rdoolan/Pix/earringsguy.jpg
***
I want to do something more relaxing -- like dismantle live nuclear
weapons. - White House press secretary Ari Fleischer
Post a follow-up to this message
Message 2 in thread
From: Nelson Tam (it@sankyu.com.hk)
Subject: Re: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-24 19:12:04 PST
YES!! It happened on my company's computer last Saturday.!
When I installed the NAV8 Corporate Edition on one of the PCs, the NAV
stops
running. I tried to scan the computer, but it quited. I thought that
was a
viurs or something. Later, maybe 10 minutes or so, NAV came back
normal!
(and it's normal now, I just checked.)
I thought that this block-out period is normal while updating virus
definition. But now Scott noticed the same symptom, I think Norton
should
give us a reason.
Anyone with the same experience? Let's share!
Post a follow-up to this message
Message 3 in thread
From: Scott Millington (medicb4@haapis.net)
Subject: Re: Symantec Antivirus8 and corrupted profiles
View this article only
Newsgroups: alt.computer.security
Date: 2003-06-25 14:20:42 PST
YES!! It happened on my company's computer last Saturday.!
Apparently the corrupted file was spread on Thursday.
When I installed the NAV8 Corporate Edition on one of the PCs, the
NAV stopsrunning. I tried to scan the computer, but it quited. I thought
that was aviurs or something. Later, maybe 10 minutes or so, NAV came back
normal!(and it's normal now, I just checked.)
I have no idea what the deal is with your system but after a bit of
digging I found out the details of the problem I have had to deal with
FYI the problems are only for large corporations and other users of a
"fast track" virus profile distribution option.
There are apparently 2 ways of getting profiles...
1) IMMEDIATE distribution: where the files are FTPd out "AS IS" and
the customer is responsible for all testing and verifications (what
many corporations do as is evidenced by this - cleanup still ongoing).
2) Consumer LiveUpdate: What y'all probably have is updated once a
week unless something major occurs. This means that the problems I
have will be fixed by the time it is released.
I have gotten confirmed that 2003-06-18 rev 6 is Symantec's approved
central distribution and fully OK. The profile 2003-06-24 rev 4 is
the "fast track version" and not generally available.
In other words I blew a false alarm based on mixing information from
my Corporate network and the Internet. They are often mutually
exclusive but even more so in this case.
That being said although keeping AV up to date is always good don't
automatically accept the updates...they can be corrupted either by
human error or malicious intent.
EXECUTIVE SUMMARY
The short answer is that the "as is" virus definitions were not tested
and verified correctly (assuming it was done at all).
- There is no problem at all for home users since they didn't get the
profilesin the first place.
- The corrupted version has been withdrawn so no one else should be
infected.
- There is a fix available in the event someone did get the bad
profile...
As for me...I did not have to do any of the patching of our servers
(although shutting off unplanned in the middle of a weekday causes
everyone to report "Net Problems") and clients need a simple reboot to
get the login scripted update (the script was apparently problematic -
but also not mine).
I now return you to your regularly scheduled programming...had this
been a real emergency --------------
Scott
SHTI
