[ SOURCE: http://www.secureroot.com/security/advisories/9785950415.html ] Product: Norton (Symantec) Antivirus Platform: Win32 Versions: 5.0 Problem: Files 'embedded' in Word and Excel documents appear to evade scanning. I have noticed what appears to me to be a disturbing lapse in the scanning procedure of Norton Antivirus 5.0 Win32. I am looking for corroboration and confirmation or denial from anyone else who has noticed this or can reproduce it. I also apologize if this is a known issue (I could not find anything about it in the BUGTRAQ archives). We run multiple virus scanning systems at our site: - Trend Micro InterScan Virus Wall on SMTP gateways - NAV 5.0 on Windows workstations and file servers - Sophos antivirus on UNIX file and proxy servers While responding to a recent complaint of infection from a user here, I was told that the customer believed they had been infected with a copy of Win32 Fun Love contained in an 'embedded package' in an Excel spreadsheet that she had received from a co-worker. While investigating the complaint, the local Exchange administrator and I ran several tests including emailing and opening Word and Excel documents which had infected files embedded in them. We tested this with plain and password protected files with the infected files inserted by simple 'drag and drop' from Explorer as well as through 'Object Packager'. When we emailed the documents with infected embedded files, they were caught and deleted without exception by InterScan at the email gateways. I was somewhat surprised to find that InterScan even detected the infected content in *password protected* files. I remember reading that the security mechanism involved in the Excel password protection scheme is not particularly robust, but I did think that it involved at least a minimal encryption of the file which was protected. I am assuming that either the files are not actually encrypted, the embedded content is not encrypted, or (unlikely I think) that ISVW is actually cracking the files by brute force in order to scan them. Perhaps someone else knows more about this than I. In any event, the alarming thing was that NAV 5.0 failed to detect *any* of the infected embedded objects when the enclosing documents were either opened or scanned manually. NAV 'Auto Protect' *did* detect the malicious content when the embedded object was either saved or launched from within the document, but not before. If this lapse can be confirmed it seems rather dangerous since it would appear to represent a simple method for transporting and storing malicious content in a NAV protected environment. In our case, this sort of thing would most likely be stopped at the email gateways if it was ever mailed, but a huge amount of data moves around our intranet through file sharing, FTP, HTTP, and other means besides email. To test this, do the following: - Turn off NAV Auto Protect - Obtain a copy of some malware or the EICAR test pattern file - Open a new Word or Excel document - Drag the malware from an Explorer window into the new document window - If prompted, pick 'copy here' - Close the document, right click on it, and select 'Scan with Norton AntiVirus' - You should see 'No viruses found in this scan' - Repeat the scan on the malware or pattern file - You will probably see a notification that a virus has been detected and/or cleaned - Close the document - Re-enable NAV Auto Protect - Launch the document again - Norton should not warn of any infection - If you attempt to save or launch the infected object, then Auto Protect should detect it and produce a warning I have not tested this yet with NAV 7.0. -- Michael W. Shaffer email: shaffer@labs.agilent.com Research Computing Services phone: +1 650.485.2955 Agilent Laboratories, Palo Alto fax: +1 650.485.5568 ---------------------------------------------------------------------- Public Key: http://alcatraz.labs.agilent.com/shaffer/publickey ----------------------------------------------------------------------