Is that a Symantec hole?

This post doesn’t want to create panic, it’s just for your information, I am not sure about what I am saying, but after some tests it seems to be right.

That’s why I would like your comments on that, it can help or save many networks and System Administrator’s time.

MR = Major Release

MP = Maintenance Pack

ISSUE: It seems that from (SEP) Symantec Endpoint Protection 11 MR4 a bug came out and for more than 1 year it has not been resolved, now there is the MR4 MP2 and the problem is still there.
DETAILS: In a network there are from very few or even millions of Computers, right?

What if a Computer gets infected? — For sure it is very bad… it can be a big issue… (I am sure that I am right on this point) 

But what if 1 PC gets infected and “thanks” to this infected PC, thousands or millions of other PCs risk to be infected as well? … this is a serious problem!

About Symantec Endpoint Protection: usually in a network there are computers with shared folders, right? What if an infected machine spreads a virus on every machine in the shared folder? It is very EASY!! And SEP doesn’t seem to protect for this.

Let’s say, we have 3 computers.

PC1 = a normal computer and a user is using it

PC2 = another computer with a shared folder on the desktop

PC3 = another computer with the “Documents” shared and the C$ shared

One is called PC1, the other is PC2 and PC3. PC1 for some reason gets infected, we all know that an Antivirus protects only for the “known” viruses and not for unknown (sometimes just with Heuristic protection). So PC1 is infected, and probably the infection unknown broke the Antivirus and it doesn’t start anymore or the autoprotect or manual scans do not work. Or let’s say that the Antivirus didn’t work already before the infection. For example, the user of PC1 uninstalled the Antivirus or disabled it from the registry or similar, there are  many reasons, a Good System Administrator knows what can happen.

OK, PC1 is infected and the user goes to internet and by mistake or not downloads a virus and gets executed. Well… if the virus is “good” it infects PC1 only. Nowadays who is going to write a virus that infects 1 machine only? (very few people).

PC1 got a virus that spreads itself, in netstat you can see MANY open connections to a lot of IP addresses, usually in the same subnet of PC1 it depends anyway from virus to virus.  When this virus is scanning the IP addresses of PC2 and PC3 it finds out that those two computers have some shared folders. The virus is going to copy itself to the shared folders!!

PC2 will have the virus on a folder on the desktop…

You now think… “Well, if in PC2 SEP is running properly it will block it immediately and will prevent it to be created“, you are wrong.

It seems that the autoprotect of SEP 11 doesn’t scan the shared folders – you can copy to PC2 as many viruses as you want, and PC2 won’t do anything to prevent those viruses to be “pasted” there.

Good news – SEP will detect it when you are going to click on it or trying to see its properties, of course if SEP has autoprotect enabled, is working properly and has the right signatures to detect it.

Bad news – what if you are doing something important, you disable the antivirus because it can take too many resources or it can crash the machine when you are burning a DVD or the antivirus has CORRUPTED definitions and is not working at all??? Also this machine will get infected when the user is going to click on that file on his folder on the desktop, a folder that he is sharing with his team and considers secure…
Corrupted definitions is a normal thing, it can easily happen with every antivirus, of curse if it doesn’t happen is better.

WHAT ABOUT PC3? As you remember PC3 has the documents shared and C$. What is C$? It is the C:\ drive, just hidden… to go there you need to add c$ to the IP address.  For example: \\192.168.100.10\c$

What is the risk with PC3? Of course one of the issues is similar to PC2, a normal folder that can contain a virus. BAD.

But PC3 has also C:\ shared!! It can be very bad! A virus can copy itself in many folders, it can replace some files of the antivirus (if PC1 has the right) and it can copy itself to the C:\Documents and Settings\”username”\Start Menu\Programs\Startup folder, thus causing it to be executed upon next restart. EXTREMELY BAD.

SEP doesn’t seem to protect against this kind of problems even having it configured as you can see below:

Somebody can say… yes, there is the autoprotect in each client and so even if there are viruses on the shared folders, they are protected.

But is it nice and safe to have maybe 100.000 computers in a company with viruses on the shared foldes? Maybe they will copy the files to a disk and infect the home computer? And if autoprotect is not running?

Is that a bug or it is the normal behaviour an antivirus should have?

You can test the same with an anti malware test file. You can download it from eicar.org it acts as a virus, but it is not. All the antiviruses should detect it as malware.

If I am wrong, let me know… but I think I am right

It seems that there isn’t any public KB yet in Symantec web site.

Any question? You need our FAST help? Go to our forum and as for FREE!