|
Brought to you by:
Suppliers of:
|
|
|
| |
| Norton Antivirus has a quarantine area feature, where the quarantine area is used to store viruses that the program has found until the user/administrator decides what to do with them. Usually the configuration settings for this feature are password protected, but this password protection can be easily broken due to two problems in the product. |
| |
Credit:
The information has been provided by daniel wischnewski and Symantec Security.
|
| |
The first problem is the weak password scheme Norton Antivirus Quarantine uses.
1) Symantec uses hexadecimal characters table conversion to encrypt the password. Converting the hex into dec and looking into an appropriate ASCII table will give you the right letter. Here is such a table:
a 41 b 42 c 43
d 44 e 45 f 46
g 47 h 48 i 49
j 4A k 4B l 4C
m 4D n 4E o 4F
p 50 q 51 r 52
s 53 t 54 u 55
v 56 w 57 x 58
y 59 z 5A
0 30 1 31 2 32
3 33 4 34 5 35
6 36 7 37 8 38
9 39
ALT+255 A0 Space 20
2) You can easily bypass the password protection by disabling it. Open 'QuarOpts.dat' with notepad (or anything else) and set the value of "ENABLED=TRUE" into "FALSE". This would allow you to configure the Quarantine without knowing the password.
The second problem is that the Norton Antivirus service can be easily deactivated. When Norton AntiVirus 2002 is installed on a Windows NT/2000 operating system a new service will be added, the service is called 'Norton AntiVirus Auto Protect Service'. This service automatically will start the 'Norton Antivirus AutoProtect Service' upon every Windows startup. The startup method can be modified by changing one value in the registry.
The key is found at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc
Changing the value of the DWORD 'Start' to any of the below values will change the behavior
2 = (default) automatic startup
3 = manual startup
4 = startup disabled
Vendor response:
Symantec feels that there is some basic misunderstandings concerning the impact of these issues.
In the first issue, weak password encryption, the primary purpose of the Norton AntiVirus 2002 beta quarantine password is to prevent inadvertent or intentional unauthorized changes to selected options, it is not to provide strong application security. The available options on the quarantine UI do not change or modify any form of Norton AntiVirus protection nor do they hold any important data. If the password option is selected, the user/administrator should protect their password as an enhancement to physical and personal security policies and features.
With regards to the second issue: Norton AntiVirus 2002 beta real time and on demand scanners cannot be disabled through changes to the registry. Norton AntiVirus customers are completely safe. If a software tool were created to access the registry and modify any keys that would affect Norton AntiVirus components, a definition would be created to detect and stop that tool just as it would stop a virus. Further, Script Blocking prevents the script developed to automate the disable of AutoProtect from executing on the targeted system.
Unauthorized access to the system registry presents security concerns for any program(s), which use the registry to persist data. Protection of your system includes restricting physical access to your system and to administrative privileges. Registry security and Access Controls, depending on OS, should not be ignored. ACLs should be reviewed and adjusted in accordance to administrator preferences. Using windows defaults settings can lead to an unsecured registry.
Exploit:
The following script will change the Norton Antivirus startup service status to disabled.
<< ============================== disable_start.js ============================== >>
var WSHShell = WScript.CreateObject("WScript.Shell");
WSHShell.RegWrite("HKLM\\SYSTEM\\CurrentControlSet\\Services\\navapsvc\\start", 4, "REG_DWORD");
<< ============================== disable_start.js ============================== >>
|
|
|
|
|
