Product:       Norton (Symantec) Antivirus

Platform:      Win32

Versions:      5.0

Problem:       Files 'embedded' in Word and Excel documents appear to

               evade scanning.



I have noticed what appears to me to be a disturbing lapse in the

scanning procedure of Norton Antivirus 5.0 Win32. I am looking for

corroboration and confirmation or denial from anyone else who has

noticed this or can reproduce it. I also apologize if this is a known

issue (I could not find anything about it in the BUGTRAQ archives).



We run multiple virus scanning systems at our site:



- Trend Micro InterScan Virus Wall on SMTP gateways

- NAV 5.0 on Windows workstations and file servers

- Sophos antivirus on UNIX file and proxy servers



While responding to a recent complaint of infection from a user here,

I was told that the customer believed they had been infected with a

copy of Win32 Fun Love contained in an 'embedded package' in an Excel

spreadsheet that she had received from a co-worker. While investigating

the complaint, the local Exchange administrator and I ran several tests

including emailing and opening Word and Excel documents which had infected

files embedded in them. We tested this with plain and password protected

files with the infected files inserted by simple 'drag and drop' from

Explorer as well as through 'Object Packager'. When we emailed the

documents with infected embedded files, they were caught and deleted

without exception by InterScan at the email gateways. I was somewhat

surprised to find that InterScan even detected the infected content in

*password protected* files. I remember reading that the security mechanism

involved in the Excel password protection scheme is not particularly

robust, but I did think that it involved at least a minimal encryption of

the file which was protected. I am assuming that either the files are not

actually encrypted, the embedded content is not encrypted, or (unlikely

I think) that ISVW is actually cracking the files by brute force in order

to scan them. Perhaps someone else knows more about this than I.



In any event, the alarming thing was that NAV 5.0 failed to detect *any*

of the infected embedded objects when the enclosing documents were

either opened or scanned manually. NAV 'Auto Protect' *did* detect the

malicious content when the embedded object was either saved or launched

from within the document, but not before. If this lapse can be confirmed

it seems rather dangerous since it would appear to represent a simple

method for transporting and storing malicious content in a NAV protected

environment. In our case, this sort of thing would most likely be stopped

at the email gateways if it was ever mailed, but a huge amount of data

moves around our intranet through file sharing, FTP, HTTP, and other means

besides email.



To test this, do the following:



- Turn off NAV Auto Protect

- Obtain a copy of some malware or the EICAR test pattern file

- Open a new Word or Excel document

- Drag the malware from an Explorer window into the new document window

- If prompted, pick 'copy here'

- Close the document, right click on it, and select 'Scan with Norton

  AntiVirus'

- You should see 'No viruses found in this scan'

- Repeat the scan on the malware or pattern file

- You will probably see a notification that a virus has been detected

  and/or cleaned

- Close the document

- Re-enable NAV Auto Protect

- Launch the document again

- Norton should not warn of any infection

- If you attempt to save or launch the infected object, then Auto Protect

  should detect it and produce a warning



I have not tested this yet with NAV 7.0.



--

Michael W. Shaffer                     email: shaffer@labs.agilent.com

Research Computing Services            phone: +1 650.485.2955

Agilent Laboratories, Palo Alto        fax:   +1 650.485.5568

----------------------------------------------------------------------

Public Key:         http://alcatraz.labs.agilent.com/shaffer/publickey

----------------------------------------------------------------------