Norton AntiVirus ignores malicious WMI instructions
Dan Milisic, a security researcher based in Canada, told ZDNet Australia that Norton AntiVirus's script blocker ignores certain VBscript using Windows Management Instrumentation (WMI), which could allow an apparently protected PC to be infected by a Trojan without detection.
WMI is Microsoft's primary management enabling technology for Windows. According to Microsoft's Developer Network Web site, WMI is "the instrumentation and plumbing through which all -- well, almost all --Windows resources can be accessed, configured, managed, and monitored".
Milisic said that Norton AntiVirus's (NAV) script blocker is able to block potentially harmful scripts written in Visual Basic (VB) but is less reliable when dealing with WMI instructions.
"NAV will parse a VB script and if it finds a potentially malicious instruction -- such as a write to disk -- it will block it. But WMI in VBscript are completely passed-over by the script blocking -- or at least major parts of them are," said Milisic.
"I can launch a file with WMI and NAV's script blocking would not find it where a typical VB script would be found," said Milisic.
Milisic's discovery was initially reported by European Web site Secunia, but after contact with Symantec, Secunia changed its advisory.
Milisic told ZDNet Australia that Secunia "listened to Symantec and published a 'correction' without consulting me. I sent them an update so they could change their advisory a second time. They were better off saying nothing at all".
On Thursday Milisic contacted security newsgroup Full Disclosure to restate his argument and included some sample scripts to prove his point.
Symantec, which on Thursday announced record revenues of US$618 million in Q2 of 2004, said it was investigating Milisic's claims.
A Symantec spokesperson told ZDNet Australia : "We are looking into this latest advisory and will be issuing a response as soon as we can. Our number one concern is safeguarding our customers, so you can be assured that we will be resolving this as a highest priority".
But Symantec's claims fall on deaf ears.
Ian Tucker, chairman of the IT Committee at the Royal Australian Institute of Architects, told ZDNet Australia he is not surprised the vulnerability has been discovered.
Tucker, who also runs a small architects' firm in WA, said he was a Symantec customer for five years but after numerous problems switched over to rival AV supplier Panda.
"After some months of this nonsense [system crashes and poor performance] we were offered a 180 days free trial of Panda Platinum AV for each of our work stations.
"We loaded it onto the first machine (the Symantec daily updates had been run earlier that day) and ran the Panda AV.
"On the first machine there were three viruses active in the system and 27 viruses embedded in the backup hard drive. We then applied Panda to the other machines with similar results," said Tucker.
Have you experienced problems with Norton AntiVirus -- or any other security product? Tell ZDNet Australia using either the talkback function below or e-mail the edit team.