Title Multiple Vulnerabilities in iAntiVirus Program PC Tools iAntiVirus for Mac OS X http://www.iantivirus.com/ Tested version 1.35, Engine Version 1.0.0.10 tested on german Mac OS X 10.5 with following preferences: - Scan inside archives ON - Scan mode NORMAL - Heuristics NORMAL Description 1. No scan in .sit- and .dmg-archives The scan-function and the online-scanner OnGuard doesn't scan .sit- and .dmg-archives. Impact: It's possible to download malware from the internet or to copy it from an usb-stick without interruption from iAntiVirus. Malware in .sit-archives is recognized by OnGuard during manuel decompression, but malware in .dmg-diskimages is only recognized during a manual scan of the mounted image. It's possible to run malware from the mounted diskimage (tested with MacSmurf, which iAntiVirus recognizes as 'Hacktool.OSX.MacSmurf') 2. Problems with special chars in filenames The scanner, OnGuard and the quarantine-management are unable to work with files with several special chars in it, for example ?, which is transformed to Æ. Impact: False-positives are lost, since it's impossible to restore them. Perhaps it's possible to evade the virus-protection. 3. No user-restrictions in the quarantine-management All quarantined files are managed in the same area. Every user can restore the files of every other user, included the admin Impact: A normal user can restore quarantined malware in other accounts, tested with the iWorks-Trojan, which was installed by the admin and restored by a normal user. Additional, the history-function contains no information about the user which performs an action and can erased by every user. 4. OnGuard does only protect one user (or perhaps a few more) If OnGuard is on and another user logs in, it seems as if OnGuard is off. If he copies some malware on the system, this disappears without any warning: OnGuard is active and moves the files in the quarantine, but doesn't inform the user about this. If the first user is an admin, this seems to work for every normal user. If the first user is a normal user, it sometimes works for the admin as second user, but not every time. 5. Ignorance of file-permissions Every normal user can start a "normal scan", which includes the system-, library- an program-folders and the folders of every user. Solution None Credits Carsten Eilers Original advisory http://www.ceilers-it.de/advisories/iantivirus.html (also as german version) Regards Carsten Eilers