Symantec Security Advisory SYM09-009, Specifically Crafted Archive Files can Bypass Initial Scans
Overview and Details: Specifically-crafted headers for Archive Files can potentially bypass initial malware scans in some products.
Symantec received information on various malformed or specifically formatted archive files, tar/zip/rar/etc. that have the potential of bypassing scans in scanning products. Depending on the product doing the initial scanning of the archive container, this can result in archived files, which haven’t been properly scanned, reaching client systems. While these modified archive files are corrupted out of any expected format, some archive applications will still recognize them and attempt to extract the content.
Affected Products:
Norton Internet Security
Norton 360
Norton AntiVirus
Norton Systemworks
Symantec Mail Security for Domino
Symantec Mail Security for Microsoft Exchange
Symantec Mail Security for SMTP
Symantec Brightmail Gateway
Symantec AntiVirus for Network Attached Storage
Symantec AntiVirus for Caching
Symantec AntiVirus for Messaging
Symantec Protection for SharePoint Servers
Symantec Protection Suite
Symantec Scan Engine
Symantec Client Security
Symantec Endpoint Protection
Symantec AntiVirus Corporate Edition
Symantec Response
Symantec is well aware of the potential for malicious use of malformed archive files. Symantec gateway products detect malformed files, such as an malformed container file, by default. Administrative policy controls exist in Symantec gateway products for these types of malformed files to be blocked or stripped prior to entering the network or quarantined for admin review and actions. Symantec recommends such policy control be used as part of a “defense-in-depth” security policy to restrict potentially harmful content from entering the internal network.
In the event that these malformed archive files get through to client/end-user systems, potential malware archived in this manner is not an active threat while it remains archived. However, should known malicious code be delivered to a client system in this manner, Symantec’s Auto Protect or Real Time Virus Scan components would detect malicious content during access attempts as the container is opened.
Should previously unidentified malicious code be distributed in this manner, Symantec’s Security Response is committed to react immediately with updated threat detections via Symantec LiveUpdate or Rapid Release Definitions.
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090612_00
Related article:
Symantec has reported a security problem in several of its anti-virus products for business and private users. As a result of a bug, the software can be fooled into overlooking malware when searching through specially crafted archives. The manipulation to create such archives formats them incorrectly, but even so, some applications and unpackers are still able to extract files from them.
This lack of detection is a particular problem at security gateways on network boundaries, with the result that for instance, for businesses, the opportunity of detecting a possible infection threat is reduced to that last line of defence, the anti-virus software on the end user's desktop. This particularly reduces the effectiveness of multi-tier approaches that use different anti-virus products.
Symantec nonetheless categorises the severity of the problem as low and in its security advisory merely provides tips for possible workarounds, rather than releasing an update. Administrators should, for example, change their gateway settings so that damaged archives are discarded. The evaluation of such vulnerabilities is a major point of distinction between different anti-virus product vendors. Last year, F-Secure evaluated the risk from such a vulnerability as high.
http://www.h-online.com/security/Security-problems-in-multiple-anti-virus-products--/news/113529