Results 1 to 7 of 7

Thread: updating definitions question.

  1. #1

    Arrow updating definitions question.

    hiho

    i just saw Nortons updating itself and wondered about the updater.
    i assume it is connecting to a server at symantec somewhere that dishes out the new definitions of there is any.

    but i was wondering how do i know where it is connecting? has there ever been a virus that can hijack this process and redirect the updater to somewhere else or prevent the prog updating altogether? how does NAV know it is connected to the right place etc?

    just wondering any comments welcome

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi, and welcome.

    Logically it is possible, as all you would need to do at the superficial level, is replace the program with your own of the same name and let matters take their course.

    Now I suspect that Norton are a bit smarter and probably check the download proggy and have some code on the file that is downloaded, or I am sure what you are thinking of would have happened already.

    There have been several malwares recently that will switch off your AV and prevent it updating, so that is already with us.

    Obviously Norton and other AV providers don't publish their countermeasures, as this would only help the skiddies?

    Cheers

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    If you have a firewall, maybe you get an alert, saying that Norton AV want to connect to such and such a place if its an ip addy insted of a name you can always check it first to see what it is.

    I shouldnt think that the ip would change so if you can remember it you will always know that your AV is connecting to where it should be.

    Its a good point though and is only proberbly a matter of time before some idiot with nothing better to do manages to do it!!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    DNS poisoning, while not done as often as before, can still be done. It's an interesting concept that presented. Who says that one couldn't DOS the norton's update server and setup their own server with a malicious built-in definitions? There doesn't, AFAIK, seem to be any authentication (aka proof that the server you are talking with is, in fact, the server).

    I know when I was using Windows I had McAfee online and thus had an account with them. When the updates were done, it had to use my account information. But interestingly enough, now that I think about it, it wasn't a secure connection.

    So if AV software manufacturers are not using some method of secure or semi-secure authentication (say SSL for HTTP or PKI for proprietary app), then it's possible to redirect a user to another location and them being non-the-wiser.

    Does anyone know if they in fact verify via certificates or something like that?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    119

    thadbme knows!

    MsMittens to answer your question in short, no Symantec does not offer any sort of certificate verification. Reason I know this is because I've had to deal with some of the Symantec folks a time or two. To make a long story short our LiveUpdate was not working. So in order to fix this, Symantec knowledge base (they have a HUGE knowledge base, and very comprehensive) has this batch file which you can run to automatically update. Again this came off of the symantec knowledge base. Go to www.symantec.com , then to support, and you can search their knowledge base there.

    open ftp.symantec.com
    anonymous
    nobody@spammer.com
    cd public/english_us_canada/antivirus_definitions/norton_antivirus/static
    lcd C:\temp
    bin
    hash
    prompt
    get symcdefsi32.exe
    quit

    So just out of the batch file you can tell that any anoymous user can log onto symantec and get their definitions. This batch file can be invaluable if anyone simply doesn't like LiveUpdate or it doesn't work properly!

    More info...

    If for some reason you need to change your LiveUpdate server, IE you provide your own definitions or know of another 3rd party that does, you can change this by editing your Settings.Hosts.LiveUpdate file, located in your LiveUpdate folder under the Symantec folder, under program files. Shooo breathe! Its recommended that you back up the file incase you mess it up.

    And to finish it up there ARE servers out there that offer some sort of authentication. I'm not sure if they are available to the public or not, but they use reverse lookups to verify before you can download from them. I'm sure there are others out there similar to it.

    Hope this helps!

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    Update for this.

    I noticed when I was updating my virus def's last night. When you run liveupdate it is digitally signed. So there is some sort of protection going on there, however not if you get them directly from the ftp server!

  7. #7
    open ftp.symantec.com
    anonymous
    nobody@spammer.com
    cd public/english_us_canada/antivirus_definitions/norton_antivirus/static
    lcd C:\temp
    bin
    hash
    prompt
    get symcdefsi32.exe
    quit
    Only I don't believe this would work anymore, as they no longer seem to use their ftp site for deinition updates, or only use them for this batch style updating.

    We recently had to download a new live-updater for our norton AV because any of our systems that were old enough, or if we did a fresh install of norton (ver5.0) it would try to connect to ftp.symantec.com and would not work.

    The new updater connects to liveupdate.symantecliveupdate.com at IP address: 209.246.22.112

    The old ftp.symantec.com was at IP address: 206.204.212.72 which is no-longer even pingable...

    RRP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •