exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nai.virusscan.nt.txt

nai.virusscan.nt.txt
Posted Aug 17, 1999
Authored by Simple Nomad

Network Associates VirusScan NT (formerly McAfee VirusScan NT) version 4.0.2 does not properly update virus signature definition files under certain conditions, and will falsely report it is up to date during manual updates. This impacts both NT Server and Workstation.

tags | exploit, virus
SHA-256 | ab203e29ed84ed4d697e5b537d8d9fb2b01c49b909016327029e29956c1fbe71

nai.virusscan.nt.txt

Change Mirror Download
_______________________________________________________________________________

Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Simple Nomad [thegnome@nmrc.org]
05May1999
_______________________________________________________________________________

Platform : Microsoft NT 4.0
Application : Network Associates' VirusScan NT
Severity : Medium


Synopsis
--------

Network Associates VirusScan NT (formerly McAfee VirusScan NT) version
4.0.2 does not properly update virus signature definition files under
certain conditions, and will falsely report it is up to date during manual
updates. This impacts both NT Server and Workstation.

Tested configuration
--------------------

Microsoft NT Server 4.0 w/SP3, Network Associates VirusScan NT version
4.0.2.

Microsoft NT Workstation 4.0 w/SP3 and SP4, Network Associates VirusScan
NT version 4.0.2.

Pre-4.0.2 versions of VirusScan NT were not tested, nor were versions for
other platforms, such as Windows 95 or 98.

Bug(s) report
-------------

Network Associates VirusScan NT has a feature that allows for a user to
update the virus definitions file via ftp. This task can also be automated
via the VirusScan NT AntiVirus Console. In version 4.0.2, the scan engine
holds open the main definition file scan.dat (located in the VirusScan NT
directory) during the ftp process, preventing the file from being
overwritten with the new version. The engine itself apparently does not
check return codes and will not notify the user that the file was not
updated. Worse, the Application Log is updated as if the install completed
properly, therefore subsequent downloads of new definition files will not
update the scan.dat properly. Subsequent manual downloads will in fact
tell you that you already have the latest definition file when in fact you
do not.

NMRC was not able to make this error occur consistently, and we strongly
suspect that a race condition exists where the updates will occasionally
work, but we were able to duplicate the error condition most of the time.
Testing was done in NMRC labs, and at two corporate locations.

To verify the proper definitions file, check the About box from the
AntiVirus Console program for the latest date next to the text "Created
On". If after a manual or automatic update this date does not change, your
definitions have not been properly updated.

The implication here is that the administrator or end user believes their
system is protected when it in fact is not.

Solution/Workaround
-------------------

Upgrade to Network Associates VirusScan NT version 4.0.3a, which resolves
the problem. Alternately, disable the VirusScan engine, wait several
seconds for the operating system to close the file, and manually copy the
definition files into the VirusScan NT directory. This second method will
place your log files out of sync with the definition files until the next
manual or automatic download, but this should not impact functionality.

It is recommended that you disable 4.0.2 (or even uninstall) before
performing an upgrade to 4.0.3a due to other problems we encountered
during the testing of this product, such as being unable to properly stop
the VirusScan services before upgrading. Once again, these problems were
inconsistent but happened several times on several systems.

One further note, in a restricted NT workstation environment, it is next
to impossible to have the user upgrade the product themselves. Local admin
rights are required to make this happen, and this will require a visit
>from an individual with adequate rights to the workstation to complete the
upgrade.

Comments
--------

Network Associates has been notified and recommend the upgrade to 4.0.3a
to resolve the problem. This problem was discovered while investigating
why upgraded machines were still infected by various Microsoft Word macro
virii after they had been upgraded to the latest definition files.

Network Associates can be reached at http://www.nai.com/. Unfortunately
at the time of this writing the ftp location of the 4.x definition files
was not present. It's supposed to be at
ftp://ftp.nai.com/pub/antivirus/update/4.x but had disappeared from the
server(s).

_______________________________________________________________________________


Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //

_______________________________________________________________________________

Date: Wed, 5 May 1999 08:03:19 -0500
From: Simple Nomad <thegnome@NMRC.ORG>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NAI AntiVirus Update Problem (fwd)

> Network Associates can be reached at http://www.nai.com/. Unfortunately
> at the time of this writing the ftp location of the 4.x definition files
> was not present. It's supposed to be at
> ftp://ftp.nai.com/pub/antivirus/update/4.x but had disappeared from the
> server(s).

A couple of people have pointed out the correct location is
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x. Silly me, I was going by a
whatsnew.txt file stating that this was the location.

Oh and sorry about the date on the last message, playing with intrusion
detection and replay attacks and was monkeying with the date.

Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //

_______________________________________________________________________________

Date: Thu, 6 May 1999 10:14:54 -0700
From: Ryan Hill <ryan@TVW.ORG>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NAI AntiVirus Update Problem

The latest release 4.0.3.345 build also has known issues using the Internet
AutoUpdate feature for updating dat files. During Internet AutoUpdate
sessions, the message "could not connect to AutoUpdate server" is displayed
and the virus signature datfiles are *not* upgraded, despite correct
configuration in the registry.

The current configuration key for Internet update is:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\Update\ScriptLoc

It is of type REG_SZ and correctly reports the update location of
"/pub/antivirus/datfiles/4.x".
The current workaround is to manually download dat file updates and to
update the files locally from the Exchange Server. My tests attempting to
update the datfiles remotely from another workstation with updated dat files
have not been successful.

If you choose to NOT install client scanning features of the product, an
error will occur when you attempt to access the Anti-Virus settings for any
mailbox. The message reads: "ERROR: The mailbox for notifications cannot be
resolved. Please reselect the mailbox." This error message is also a known
issue and while cryptic, will probably be fixed in the next service pack or
build. It does not have any adverse affects that I have noticed (other than
confusing Exchange Admins).

The incorrect version reporting has been corrected in this release.

There is also and incorrect version key created in the registry during the
install:
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\4.0.2" should read 4.0.3 but
this bug does not have any obvious affects on server operation and is not
reported in the release notes for the product. This bug has been reported
to NAI tech support by myself during a previously opened support incident.

Finally, a few notes on the installation of this product. GroupShield 4.x
installations are VERY picky about account permissions and in addition to
the very specific installation line items mentioned in the release notes,
the following are also required but not mentioned (probably assumed).

1.) Administrative shares must be active on the drive where Groupshield is
to be installed.
2.) The Exchange Service Account (also used for installation) must have FULL
CONTROL permissions to all Exchange related shares.
3.) The Exchange Service Account must also have FULL CONTROL NTFS
permissions to all Exchange Server operating directories.

This bug has also been reported to NAI tech support by myself during a
previously opened support incident.

Regards,
Ryan

_____________
Ryan Hill
CIC, MCP + I
TVW, Washington State's Public Affairs Network
e-mail: ryan@tvw.org phone: (360) 586-5555
http://www.tvw.org

PGP Key available from standard keyservers.

> A couple of people have pointed out the correct location is
> ftp://ftp.nai.com/pub/antivirus/datfiles/4.x. Silly me, I was
> going by a
> whatsnew.txt file stating that this was the location.
>
> Oh and sorry about the date on the last message, playing with
> intrusion
> detection and replay attacks and was monkeying with the date.
>
> Simple Nomad //
> thegnome@nmrc.org // ....no rest for the Wicca'd....
> www.nmrc.org //
>


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close