myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron - Corporate and Home Security

Latest Security Developments and Best Practices are shared to help keep users safe

Use of Rootkits in Symantec AV products is exaggerated

Recently, a number of media articles have surfaced that claim Symantec is using "Rootkit" techniques by hiding key control folders from the Operating System. This approach might create install/uninstall issues when non-conventional approaches are used.  In a worse case, it could be manipulated by virus writers to hide malicious malware.

Symantec is trying to lock down and protect the SAV infrastructure, so that there might be less risk associated with users accidently discovering and manipulating the installed AV environment.

While Symantec uses only one element of a "rootkit" like techique of hiding a control file from the Operating System.  The key reason this is NOT a rootkit, is that Symantec is not directly doing anything malicious with this approach.  

Symantec is taking steps to further protect this control system, so that the dark side of the force does not use it as a place to hide malware.  The original findings were good and hopefully the media will more realistically report techincal findings in the future.

eWeek: Symantec Caught in Norton 'Rootkit' Flap
http://www.eweek.com/article2/0,1895,1910077,00.asp

QUOTE: Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.  The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.


Kapersky: No rootkit in Kaspersky Anti-Virus
http://www.viruslist.com/en/weblog?calendar=2006-01

QUOTE: We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.

2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)

3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.

To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can't analyze the situation themselves, shouldn't be misinformed.

Other Links

F-Secure: Cloaking without malicious intent

F-Secure: The "Symantec rootkit"

Published Jan 15 2006, 06:21 AM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems