As if the Microsoft patches weren't enough, there's an issue with many Symantec products and their UPX parsing engine.

http://secunia.com/advisories/14179/

This one's fun because:

It affects a security product (your antivirus / antispam software) and;

it requires a re-install of the new version, rather than a patch to fix it.

Good patching, everyone!

Looks like no sleep for me over the next 3 days.

Thanks!

TH13

Do you think it includes corprate products?

dammit...this just sucks. oh well time to start updating, its cool though, only about 90 percent of our clietns use symantec...*slams head into desk*

Haha xtc, well I guess thats a plus side of selling mcafee 2005 at my place, even though I hate Mcafee.

Edit- I take that back, I like stinger and mcafee for dos becuase they are simple and free.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265911#post822221) by oofki
Do you think it includes corprate products?

Yep. If you were to RTFA, in the beginning under software you would have seen

Symantec AntiVirus Corporate Edition 8.x
Symantec AntiVirus Corporate Edition 9.x

Normally advisories contain such information. May want to look there before asking.

The following is the official Symantec advisory:

http://www.symantec.com/avcenter/security/Content/2005.02.08.html

I have been in contact with Symantec and have been told that the Virus definitions posted yesterday (2005-02-09) contain a signature which will detect any attempt to exploit this vulnerability and quarantine the virus. This does not fix the problem, we are all still going to have to patch & upgrade but it does offer a little protection.

Cheers:

According to Symantec's website version 9.0 (enterprise or corporate whatever you want to call it) there are no updates at this time. Keep you fingers crossed. We have the latetest def's and will watch very carefully.

Maaaan!
Symantec's stupid documentation says sometimes you have the Maintenance Releases available and sometimes not. Sometimes Live Update will fix it. Download the latest MR from here: http://www.symantec.com/techsupp/
I tried Live Update, but nopes.. not getting the latest version.
And I search all over for this stupid MR and can't find it anywhere... end up having to call them, and the guy says, yeah.. got phone calls about that all morning.. ! It's not very well described on the homepage, but you actually have to download the latest full product and reinstall the whole thing.. !!!

So here I'm waiting for this 213MB file to finish downloading now.. and some fun reinstallation... joy!
This was supposed to be a nice 4 day work week... argh!

At least tomorrow will be an easy day to reboot servers.. heh!

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265911#post822301) by ny9777
According to Symantec's website version 9.0 (enterprise or corporate whatever you want to call it) there are no updates at this time. Keep you fingers crossed. We have the latetest def's and will watch very carefully.

Symantec will be releasing v.10 in March I am told. I have also been told that the risk of waiting (to upgrade to v.10) is low and at this time the def's should serve to protect our systems until then.

As for the "no updates at this time". The story I am getting, is that they (Symantec) are working on the latest versions first (v.10) and will work their way down. For those still running version 8.0.1 or lower, don't hold your breath, they will likely not be patched.

Cheers:

From Symantec's site:

http://www.sarc.com/avcenter/security/Content/2005.02.08.html

They have non-vulnerable versions of 8 and 9, but it is a whole new version - reinstallation required.

As for risk, I'd highly recommend not waiting. This vulnerability affects the scan engine itself, and Symantec has told us that symantec scans by header information - not extension.

So if I take an malicious .EXE, pack it with UPX...then rename the extension, it'll still exploit this vulnerability. Then, all I have to do is get a file on your system to nuke your system. Open shares, an e-mail attachment (or an e-mail attachment scanned by SAV).

:eek: OH MY GOD!

Norton Antivirus Version 10.0.1.13 (Norton SystemWorks 2004 Version: 7.00 Build: 81 ) - So I need a new version, is that it? But based on their ONLINE SECURITY RISKS CHECKING TOOL, I still have an updated version (well, just a thought)! Eh...

:rolleyes:

Hmm interesting......

Heres me telling customers that the NAV was a crock of shite..
the number of broken machines that had fully updated defs and prog files that were still being stung has had me supprised. I was thinking that many just didn't know or were using mistruths when being surveyed..
Now I think I acn see why.. the bloody anti-virus was excuting the virus. I only wish that I had the time to analyse all of my customers machines to pin-point where, when and how they became infected.
As I said I wish I had the time and money to do a forensics on customers machines, I would estimate that about 40% of the repair work that I have done could have come from this and or similar bug. .. my suspicion that this is just one of a group of bugs in Symantec AV products that allow a virus to execute, certainly there are problems with the spyware/adware engine, a gaping hole that leaves a machine filed with Parasites and wide open to any old virus/worm/trojan to walk in..


cheers

Extra info:

I was wondering, what about even older versions of NAV CED? Like v7.5 and stuff? They are not even mentioned on the alert page.
So I sit for another 25 minutes on hold waiting for Symantec support on the phone...

Turns out that the v7 is not affected by this threat! :)
BUT! If you still have v7.5, your product is NOT supported at all!
And if you have v7.6, support will expire this March, so you better get the latest version and upgrade anyway.. !

Welcome to the fun weekend! ;)

hey, i realize this is off topic, but i was wondering if you guys could help me out..... i was updating norton corporate to v 10 using symantec system center, but some of the pcs wouldn't take the update, so i tried doing a manual install and it still didn't work.... anyone know why this might be?

What version is your parent server? From what I understand that needs to be 10 before you try to upgrade any of your clients.

I have had problems "updating" Norton products.

Usually you have to remove the older version...reboot...then update the WS.

Also legacy systems (98\ME\NT) ...you have to use an older version (legacy disk) and manually install that way. AFAIK...8.x plus wont install on anything other than XP\2000. The older software still will communicate with the AV server for updates though...only the 7.X versions were more of a resource hog then the newer ones...not including the network traffic\communication issues in the older versions.

If that doesnt work...Symantec have a Reg cleaner tool on thier site which may helps removing previous versions...allowing you then to install the updated product.

MLF

yeah, thats what i ended up doing, but now one of them gives me an error during the install - cannont find NavCE.msi :( does that mean the file is missing from that pc? if so how do i get it back?

Tried the symantec site...????

http://search.symantec.com/custom/us/query.html


You havent stated what OS you are running on the client??

MLF

Call Symantec and ask for the Symantec removal tool. It's not supported but it does a nice job of stripping out bad installs. It runs from the command prompt via a batch file. I know, nothing better than an old DOS batch file but the results are surprisingly good.

After that, attempt your Ver10 install again.

Be warned!
I have the same problem as Sickofnorton. Never had this much trouble upgrading Norton as with this version 10 of SAV CE. I'm using the Windows version for Win2000/2003 Server.

Usually a reboot fixes the problems, but not in my case, I may have to do what TheHorse recommended, using the removal tool... sigh!

Thanks for the heads up...
Havent updated to 10 yet...but will hold off for a bit

I have had a problem with 7.0 and 7.5....to update I had to remove old version and install the new...after removing\reinstalling each module you had to reboot....I think there was a total of 16 that day....no app should make you reboot a server that many times :rolleyes:

As for the removal tool...they developed that after having to walk all customers through hacking the registry every time they had to update\reinstall...must have cost them dearly in Tech Support...not to mention the irrate customers

MLF

Well, I can tell you this. I am a beta tester for Symantec and I will not be deploying version 10 until at least MR1 comes along. I can't tell you the specifics of why I wont because I have signed an NDA with Symantec but again, I'm looking at the fall as my deployment start. By then I'm sure at least one maintenance release will be out.

As a side note, I have attached the tool to this thread for those who need it. Getting through to "Gold" support is a pain in the arse.

There is a password on the file. "symantec"

Yes, this is from the vendor.

:)

Many thanks for the info thehorse13.

Greatly appreciated.
:)
MLF

TheHorse,

Thanks a bunch! I may need this tool more than I thought...!
Some servers install just fine, but it is so inconsistent! Haven't found any common denominator at all so far, just random servers won't take the upgrade, and errors out in different ways...

However I really like the new version, with all the new features. It even found Adaware that neither SpyBot or Adaware found... ! :)

Plus the fact its using certificates, making the connections more secure, nice improvement.

TheHorse, so if you can't give us any details, could I just ask a "general" kinda question? :)
If I was able to install version 10 successfully, would you still recommend waiting until MR1?
(like, the installation part is where all the problems are, or even if you are able to install it, it could still give you issues?)

Thanks again! :)

:D WOW, thanks so very much thehorse13!! that tool is amazing, kinda wish i had found out about it alot sooner tho lol!