Symantec Squashes Virus Detection Bypass Bug

The anti-virus vendor issues patches for a security bug in several enterprise and consumer products.

Anti-virus vendor Symantec has released patches for a security vulnerability in several enterprise and consumer products that can be exploited to bypass scanning functionality.

In a public advisory posted last Wednesday, the company said an error in the Symantec Antivirus component that is responsible for processing encoded or archived content has the potential to be exploited through the use of a specially crafted .rar file.

The affected enterprise products include Symantec Web Security, Symantec Mail Security for SMTP, Symantec AntiVirus Scan Engine, Symantec SAV/Filter for Domino NT and Symantec Mail Security for Exchange. Several consumer products in the Norton suite also are vulnerable, Symantec Corp. said.

The company said updates with fixes are available through the LiveUpdate feature or from the Symantec Support Web site.

In its advisory, Symantec noted that malicious content placed inside a configured .rar file can be bypassed and not detected by an initial file scan. But, Symantec added, the potentially harmful content does not pose a risk until it is extracted from the .rar archive file.

.Rar files are used to hold compressed files, similar in function to .zip files. Beginning in late December, administrators and service providers began finding virus-infected messages using the .rar file type.

Security research outfit Secunia rates the vulnerability as "moderately critical," but Symantecs alert carries a "low risk" rating. Having the vulnerability found by a researcher and reported by a vendor kept the exploit from garnering a higher risk warning, said Secunia researcher Thomas Kristensen.

"Obviously, it would be very appealing for attackers to find an exploit in a popular anti-virus application like Symantec," he said. "So, its fortunate that the bad guys didnt find it first."

Kristensen added that anti-virus programs are particularly complex, making them difficult to perfect. "Every piece of anti-virus software should be flawless," he said. "But we live in the real world, where thats just not possible."

Although attacks have been limited in the past, they may be on the increase as virus writers tinker with .rar files as a method for infection delivery. Anti-virus vendors have acknowledged the challenges that .rar files present, and they have been working for months to develop tools that could eliminate the malware.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.