Results 1 to 6 of 6
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Flaw in slew of Symantec products

    <P ID="edit" class=small>(Edited by jscher2000 on 21-Dec-05 21:53. )</P>As there is no patch, someone must decide which is more dangerous: lettering Norton Antivirus scan .RAR archives -- with the risk that one will blow up the product and obtain privileges to run evil software on your system -- or exclude .RAR files from scanning, and take the chance of a virus hiding inside.

    Since a virus hiding inside a .RAR cannot execute itself, to my knowledge, the latter risk is pretty small. When you extract the contents of the .RAR to disk, AutoProtect should scan them automatically. If you don't use AutoProtect, you will need to scan the extracted files manually. Thus, even if the .RAR file itself was not scanned originally, you have a couple of layers of defense in dealing with its contents. Accordingly, it seems better to stop scanning .RAR files until Symantec patches its products.

    I don't have Norton Antivirus handy, but perhaps someone else can list the steps to exclude .RAR files from scanning.

    Added: Although this article refers to the file extensions for email data files, in principle, the same steps should work for other file extensions: How to exclude your mail box file from being scanned by Norton AntiVirus

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Flaw in slew of Symantec products

    How frequently do you encounter .RAR files? I haven't been sent one for about ten or fifteen years!

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  3. #3
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Flaw in slew of Symantec products

    ...and if someone sent me one tomorow, I would be very suspicious!

    StuartR

  4. #4
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Boulder, Colorado, USA
    Posts
    231
    Thanks
    0
    Thanked 1 Time in 1 Post

    Flaw in slew of Symantec products

    Edited by Bigaldoc to add URL code.[/i] See the Quick Guide, or the 1-Click TagPanel, or even <!post=this StarPost.,438749>this StarPost.<!/post>

    The problem is described in 'High' risk in Symantec antivirus software flaw and the immense range of Symantec products listed in the Secunia advisory, Symantec AntiVirus RAR Archive Decompression Buffer Overflow and it sounds potentially pretty bad. As I read it, all we can do until a patch is created is get our NAV to not scan RAR files, but, eg,
    my NAV 2004 Pro only has the choice of scanning no compressed files at all. The RAR extension isn't one that's listed in the "customize" list. And, a potentially horrendous buffer overflow can be caused by any scan of a malicious RAR file. All I can say is I'm confused about this situation. So, this is a plea for anyone who can offer illumination, or other thoughts to post here.
    Thanks,
    yerubal

  5. #5
    Star Lounger
    Join Date
    Mar 2001
    Location
    Ontario, Canada
    Posts
    57
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Flaw in slew of Symantec products

    RAR files tend to be multimedia files downloaded from newsgroups, mostly probably inappropriate content. So if you are downloading RAR files you're probably bordering on unsafe browsing practises anyway. <img src=/S/noevil.gif border=0 alt=noevil width=25 height=17>

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Flaw in slew of Symantec products

    Exactly one .RAR file has been sent to me. Naturally, I sent it to IT to open it and convert it to a ZIP archive. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    The problem for Norton users, however, is that email can arrive and be scanned without any intervention on their part, so while they might never have received, cared about or even heard of a .RAR file, they could get bitten by a mass mailing bug.

    Which makes me realize that at the corporate level, it might make sense to simply strip all .RAR attachments prior to scanning. Then, the heap overflow danger could arise only from .RAR files delivered inside other "containers," such as a .ZIP archive or an OLE container such as a Word .DOC file. Users probably would be aware of those embedded files and could avoid scanning them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •