October 23rd, 2003, 07:48 PM
updating definitions question.
i just saw Nortons updating itself and wondered about the updater.
i assume it is connecting to a server at symantec somewhere that dishes out the new definitions of there is any.
but i was wondering how do i know where it is connecting? has there ever been a virus that can hijack this process and redirect the updater to somewhere else or prevent the prog updating altogether? how does NAV know it is connected to the right place etc?
just wondering any comments welcome
October 23rd, 2003, 08:00 PM
Hi, and welcome.
Logically it is possible, as all you would need to do at the superficial level, is replace the program with your own of the same name and let matters take their course.
Now I suspect that Norton are a bit smarter and probably check the download proggy and have some code on the file that is downloaded, or I am sure what you are thinking of would have happened already.
There have been several malwares recently that will switch off your AV and prevent it updating, so that is already with us.
Obviously Norton and other AV providers don't publish their countermeasures, as this would only help the skiddies?
October 23rd, 2003, 08:11 PM
If you have a firewall, maybe you get an alert, saying that Norton AV want to connect to such and such a place if its an ip addy insted of a name you can always check it first to see what it is.
I shouldnt think that the ip would change so if you can remember it you will always know that your AV is connecting to where it should be.
Its a good point though and is only proberbly a matter of time before some idiot with nothing better to do manages to do it!!
October 23rd, 2003, 08:15 PM
DNS poisoning, while not done as often as before, can still be done. It's an interesting concept that presented. Who says that one couldn't DOS the norton's update server and setup their own server with a malicious built-in definitions? There doesn't, AFAIK, seem to be any authentication (aka proof that the server you are talking with is, in fact, the server).
I know when I was using Windows I had McAfee online and thus had an account with them. When the updates were done, it had to use my account information. But interestingly enough, now that I think about it, it wasn't a secure connection.
So if AV software manufacturers are not using some method of secure or semi-secure authentication (say SSL for HTTP or PKI for proprietary app), then it's possible to redirect a user to another location and them being non-the-wiser.
Does anyone know if they in fact verify via certificates or something like that?
October 23rd, 2003, 08:40 PM
MsMittens to answer your question in short, no Symantec does not offer any sort of certificate verification. Reason I know this is because I've had to deal with some of the Symantec folks a time or two. To make a long story short our LiveUpdate was not working. So in order to fix this, Symantec knowledge base (they have a HUGE knowledge base, and very comprehensive) has this batch file which you can run to automatically update. Again this came off of the symantec knowledge base. Go to www.symantec.com , then to support, and you can search their knowledge base there.
So just out of the batch file you can tell that any anoymous user can log onto symantec and get their definitions. This batch file can be invaluable if anyone simply doesn't like LiveUpdate or it doesn't work properly!
If for some reason you need to change your LiveUpdate server, IE you provide your own definitions or know of another 3rd party that does, you can change this by editing your Settings.Hosts.LiveUpdate file, located in your LiveUpdate folder under the Symantec folder, under program files. Shooo breathe! Its recommended that you back up the file incase you mess it up.
And to finish it up there ARE servers out there that offer some sort of authentication. I'm not sure if they are available to the public or not, but they use reverse lookups to verify before you can download from them. I'm sure there are others out there similar to it.
Hope this helps!
November 7th, 2003, 09:39 PM
Update for this.
I noticed when I was updating my virus def's last night. When you run liveupdate it is digitally signed. So there is some sort of protection going on there, however not if you get them directly from the ftp server!
November 7th, 2003, 10:38 PM
Only I don't believe this would work anymore, as they no longer seem to use their ftp site for deinition updates, or only use them for this batch style updating.
We recently had to download a new live-updater for our norton AV because any of our systems that were old enough, or if we did a fresh install of norton (ver5.0) it would try to connect to ftp.symantec.com and would not work.
The new updater connects to liveupdate.symantecliveupdate.com at IP address: 18.104.22.168
The old ftp.symantec.com was at IP address: 22.214.171.124 which is no-longer even pingable...