This is bad – whose defending the defender? eEye security has a bulletin announced that regards a remotely exploitable vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x They say other versions MAY be vulnerable they’re waiting for information from Symantec. Now, Symantec is probably the biggest selling antivirus package out there. It looks as though, from Symantec’s advisory, that the Norton Antivirus product line is not affected, ONLY “Symantec Client Security 3.1″ and “Symantec Antivirus Corporate Edition 10.1″
They have released IDS updates to try to detect attempted exploits of this….
There do not appear to be exploits in the wild currently for this issue. It sounds like a VERY serious issue and a patch should be coming soon. (No word on when though.) (They are still evaluating other products for this vulnerability.)
Remotely exploitable Antivirus is a BAD thing… Which is why George Ou thinks it’s time to get rid of desktop antivirus…. he does have some decent points, that ANY software that handles files from the outside world can be a weak point. IT IS a good point that antivirus filtering/scanning should be done at the gateway. However, I still have to convince people that they need antivirus even though they just download mail from webmail and the webmail scans for viruses… George says he hasn’t had a problem with a virus on a PC, and that among the “expert users” he knows none of them have either. That’s very good, i’m glad to hear. I’ve seen many users experienced and inexperienced pick up who knows what on the web, with the neat screensaver that so and so… emailed that didn’t seem to do anything, with that neat “game” download… Or, “well I just went looking for lyrics to a **** song…” or… “I just got a highspeed connection last week and things are acting funny…..” Now, maybe I can’t claim to know any experts, myself included… ok fine.
Of course, he is pointing towards Vista and saying that IE will be sandboxed, everyone will be limited-user…. Of course, also in a corporate environment you can have proxy antivirus scanning for mail and web content and even some homes may do likewise, but frankly, MOST homes aren’t NEARLY at the point where they can move the virus scanning entirely to another machine.
YES it’s easily do-able and fairly cheap for someone with a bit of computer experience to setup an antivirus filtering gateway. In fact… with Viralator and squid it would be fairly easy to filter web traffic, add in another component for mail scanning, and that could be a stand alone proxy/scanner for web and mail. What if someone in the network uses IM – I guess Intrusion detection signatures could mitigate that threat, but I’d still be reluctant to say now’s the time to throw it out entirely. I like the idea of “layered defense”. In one particular location that I support they have desktop antivirus and mailserver antivirus (no proxy virus scanning… yet…) The desktop antivirus frankly has not gotten MUCH use as the mailserver antivirus usually picks up and cleans out the problems, however…. I use two different “flavors” of antivirus so that if the updates for one product are a bit slow, the other, hopefully will be able to defend.
Many of the comments to George’s post reflect 2 things…. 1) an impression that he said to get rid of your antivirus (period…) and 2) that the network is NOT the only way bugs can get in…
With regards to 1… that is NOT what he means, he essentially means to move your antivirus off your desktop and to a PC in the network DMZ (out in the wild internet…) I think half of that is a good point and that’s where MOST scanning should be done, however I STRONGLY disagree that desktop antivirus should not be installed. Mainly because of point 2… Most of the time, viruses infect a system because of choices the user makes. *(There are rare situations that it IS beyond their choice, maybe because it’s beyond their expertise…) Visitor at the pc, poor decision, flash card, bluetooth device, wireless card…. how many ways are there that something can STILL get in the system. Vista may make great strides. It does sound like a marked improvement, but It is NOT here. IT is NOT installed on most PC’s. It Will not be widely installed for at least 10-12 months.
Please folks, keep your desktop AV installed and up-to-date. If you want to add perimeter scanning to your home network. There are ways to do so. Maybe we’ll look at some here at some point.
—-update on the Symantec Vulnerability —— 5/27/06 ——
Looks as though I rambled a bit off the specific Symantec vulnerability above…. anyway – it looks as though today:
Symantec has released update patches for the affected products. They appear to be manual download and install only at this point, Hopefully they will be integrated into the liveupdate process (?).
Related PostsRelated Posts
- WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
- Network Security guide for the home or small business network - Part 3 - Antivirus Ok, the first two entries thus far, hardware firewalls and software firewalls have been fairly operating system independant. A hardware firewall is best, but if that's not possible a software firewall will do until you get a hardware firewall setup. This next item is (currently) a must have for Windows......
- The problems with cache servers Networkworld brings us this report that exploit code removed from websites can live on for quite a while in caching servers. Which, in a way is NOT news, but it's worth remembering. Many times when someone visits a website, their really visiting a caching proxy server that has previously grabbed......
- Will Google Reign Forever How many of you use Google all the time? Let’s get a show of hands. Let’s see…one, two, three, four…looks like a lot of you. Great, but maybe you should ask yourself why. Why do you automatically turn to Google when you need to find information? The answer is......
- Sundry Topics: Thanking Readers and Website Changes I want to thank everyone for their votes for Performancing's Best Money Blog. The competition was tough and two of those competitors have more readers than many cities. The voting came to a somewhat predictable conclusion with those two, The Simple Dollar and Get Rich Slowly taking the top two......
- Is it a Sales Letter or a Corporate Blog Post? One of the most common mistakes that corporate blog owners make is turning their blog into a glorified sales letter. While there is a place for sales copy on a blog, it should only be used when absolutely necessary, and never as the main form of communication. No one really......
- Serious Symantec Antivirus Vulnerability
- Linux Antivirus
- Grisoft AVG Antivirus and other antivirus alternatives
- Network Security guide for the home or small business network – Part 3 – Antivirus
- I’ve NEVER liked UPNP…. now I have another reason….