[Plugins-writers] plugin 14835 (Symantec AV Corp Ed version) not accurate

From: Scott Sibert (ppcxws@private)
Date: Thu Oct 21 2004 - 07:12:13 PDT


Hello everyone.

Plugin 14835 (Symantec Norton Antivirus Version Detection) does not
correctly detect the version.

The referenced key (SOFTWARE\Symantec\Symantec AntiVirus\Install)
contains 7.50 if you have 7.50, 7.51, 8.0, 8.1, or 9.0.  I have 9.0
now and am distributing it and even on machines with SAVCE 9 installed
as a new install (not upgraded from earlier SAVCE) it has 7.50.

I have found, however, a location that does have the current version
but I'm not sure how useful it may be.  I don't know nasl so I don't
know its capabilities.

This is on Windows XP w/SP2:

HKLM\SOFTWARE\INTEL\DLLUsage\VP6

I have three keys in there:

C:\Program Files\Common Files\Symantec Shared\SSC\scandlgs.dll   
REG_SZ    9.0.1000
C:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll   
REG_SZ     9.0.1000
C:\Program Files\Symantec AntiVirus\Rtvscan.exe     REG_SZ     9.0.1000

There's also another huge set of keys that has a lot more information
about SAVCE in:

HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion

InstalledProducts    REG_DWORD    0x80000026 (2147483686)
ProductVersion      REG_DWORD     0x03e80385 (65536901)
ScanEngineVersion    REG_DWORD    0x0102000d (16908301)



On a Windows 2000 Server w/SP4 and 8.1 client installed (not Server
but installed as a client):

(same 7.50 in SAV/Install)

HKLM\SOFTWARE\Intel\DLLUsage\VP6:

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan    REG_SZ   8.1.825
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Cliproxy.dll   REG_SZ   8.1.825


HLKM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion:

InstalledProducts    REG_DWORD   0x0000007 (2147483655)
ProductVersion    REG_DWORD    0x03390321 (54068001)
ScanEngineVersion    REG_DWORD    0x04020007 (67239943)



On a Windows 2000 desktop and 8.0 client installed:

HKLM\SOFTWARE\Symantec\Norton AntiVirus NT\Install
has 7.50

HKLM\SOFTWARE\INTEL\DLLUsage\VP6

C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\Scandlgs.dll    REG_SZ   8.0.9374
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Cliporoxy.dll    REG_SZ    8.0.9374
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Rtvscan.exe    REG_SZ    8.0.9374


HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion

InstalledProducts    REG_DWORD    0x80000007 (2147483655)
ProductVersion     REG_DWORD     0x249e0320 (614335264)
ScanEngineVersion    REG_DWORD    0x0401000f (67174415)



I don't know how to change this plugin to look in these different
areas.  One thing that may cause problems with the C: being in the key
is if someone installed their Windows on a different drive letter.

If anyone would like to fix this plugin and make it useful I (and
probably others) would greatly appreciate it.  If anyone has further
questions about keys, etc., please let me know.

--Scott
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Thu Oct 21 2004 - 07:12:36 PDT