Mailing List Archive

symantec rule bug
I just scanned a Chinese install of WinXP-SP2 (the language may not be
important - I'm just saying...) which had Symantec installed on it this
year.

According to Nessus-3.2.1 it is OK for sid:16193 ( An antivirus is
installed on the remote host), but then hits sid:24236
<http://cgi.nessus.org/nessus_id.php3?id=24236> ( The remote host is
running a vulnerable version of Symantec AntiVirus). That vulnerability
refers to a 2006 version - so I don't think that's it :-)

Maybe it has an old Registry key or something? Anyway, generalizing this
out, if Nessus confirms a machine is running an up-to-date AV engine and
pattern files (any vendor), then shouldn't it ignore any AV
"vulnerabilities" - as they can't be true?

Otherwise, can someone tell me how this machine is up-to-date and
out-of-date at the same time please? ;-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: symantec rule bug [ In reply to ]
Jason Haar wrote:
> I just scanned a Chinese install of WinXP-SP2 (the language may not be
> important - I'm just saying...) which had Symantec installed on it this
> year.
>
> According to Nessus-3.2.1 it is OK for sid:16193 ( An antivirus is
> installed on the remote host), but then hits sid:24236
> <http://cgi.nessus.org/nessus_id.php3?id=24236> ( The remote host is
> running a vulnerable version of Symantec AntiVirus). That vulnerability
> refers to a 2006 version - so I don't think that's it :-)

Hi Jason,

Did you confirm which version of Symantec AV is running on the computer?
What did plugin 16193 say? It's possible an odler version of Symantec is
there, but a different AV is running just as well.

> Maybe it has an old Registry key or something? Anyway, generalizing this
> out, if Nessus confirms a machine is running an up-to-date AV engine and
> pattern files (any vendor), then shouldn't it ignore any AV
> "vulnerabilities" - as they can't be true?

Plugin 16193 just checks that AV is running and the signatures are up to
date. It does not check for vulnerabilities.

> Otherwise, can someone tell me how this machine is up-to-date and
> out-of-date at the same time please? ;-)

Reading the plugin, there is a short list of vulnerable SAV versions.

http://www.nessus.org/plugins/index.php?view=viewsrc&id=24236

Please obtain the version of SAV running on this system in question so
we can see if it is indeed vulnerable or if there is an issue with the
check.

Ron Gula
Tenable Network Security



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: symantec rule bug [ In reply to ]
Ron Gula wrote:
> Did you confirm which version of Symantec AV is running on the computer?
> What did plugin 16193 say? It's possible an odler version of Symantec is
> there, but a different AV is running just as well.
>
>

The remote host has the Symantec Antivirus Corporate installed. It has
been fingerprinted as :

Symantec Antivirus Corporate 10.1.0.394
DAT version : 20080825


Your link to
http://www.symantec.com/avcenter/security/Content/2006.05.25.html told
me I had to look at the non-English link (sigh! Why do these people have
separate products for different languages! [I know, I know...]) and that
says the host is indeed running a vulnerable version.

So nessus was right - but 16193 was still wrong. Shouldn't it check the
engine number?

Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: symantec rule bug [ In reply to ]
Jason Haar wrote:
> Ron Gula wrote:
>> Did you confirm which version of Symantec AV is running on the computer?
>> What did plugin 16193 say? It's possible an odler version of Symantec is
>> there, but a different AV is running just as well.
>>
>>
>
> The remote host has the Symantec Antivirus Corporate installed. It has
> been fingerprinted as :
>
> Symantec Antivirus Corporate 10.1.0.394
> DAT version : 20080825
>
>
> Your link to
> http://www.symantec.com/avcenter/security/Content/2006.05.25.html told
> me I had to look at the non-English link (sigh! Why do these people have
> separate products for different languages! [I know, I know...]) and that
> says the host is indeed running a vulnerable version.
>
> So nessus was right - but 16193 was still wrong. Shouldn't it check the
> engine number?

Plugin 16193 just checks to see if your system has an antivirus product
installed, if it is running (it might be installed but disabled) and if
the signatures are up to date. It does not check if the actual anti-virus
software is vulnerable. Many other plugins check for those types of
issues.

Ron Gula
Tenable Network Security

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus