BoneMachine, What do you mean by "a file has no Administrator read privileges"? Is the principal/group simply not present in the ACL for the object, or is an explicit deny set? Also, are you referring to the local administrators group, or the local administrator account (RID 500)? It matters. If, for instance, you had NAV running as NT AUTHORITY\SYSTEM and it attempted to open the file (ACLed with "deny read" set for the Local Administrators group) for a read operation, it will fail. A glance at the group membership for NT AUTHORITY\SYSTEM on an NT 4.0 or Win2k box reveals why: [User] = "NT AUTHORITY\SYSTEM" S-1-5-18 [Group 1] = "BUILTIN\Administrators" S-1-5-32-544 [Group 2] = "Everyone" S-1-1-0 [Group 3] = "NT AUTHORITY\Authenticated Users" S-1-5-11 If an explicit deny is set for the local admins group (that NT AUTHORITY\SYSTEM) is a member of, then the operation will fail. See attached zip archive for neato-keen screen shots of the read fail in action. If this is the problem you are encountering, which I suspect it is, you should be seeing audit failures in the security log that confirm this (you are auditing, aren't you?). It's a common misconception that the NT AUTHORITY\SYSTEM account doesn't have to play by the same rules as any other account when it comes to accessing ACLed resources. You can set explicit deny ACLs for the SYSTEM account on just about anything (File System objects, registry keys, system objects... get used to looking at blue screens with white letters if you decide to be silly with this functionality). HTH, Andrew Garberoglio, MCSE, CISSP Wells Fargo Services, Internet Technology Services "Let us prepare to grapple with the ineffable itself, and see if we may not eff it after all" -Douglas Adams <<cant_scan_me.zip>> -----Original Message----- From: BoneMachine [mailto:bonemachat_private] Sent: Wednesday, July 10, 2002 4:47 AM To: vuln-devat_private Subject: Norton antivirus fails to scan files I have a problem with NAV corporate edition 7.6. When a file has no Administrator read privileges assigned on a Windows 2000 or Windows NT host, NAV fails to scan the file for viruses. This is a bit odd because the NAV client runs with system privileges and according to my NT knowledge this should be enough to read those files. I've searched on the Symantec knowledge base and all I found was this: Error: "Application Log is Full" upon startup of Norton AntiVirus Corporate Edition http://service1.symantec.com/SUPPORT/ent-security.nsf/552ba2f7636bedf0882568 18006f78bf/304b3eb399b43ab588256a780056e5d7? I have also used the webform to post this issue to symantec about two months ago, but I had no response Also it is not possible to use an other account than administrator as the 'scan' account. So it is impossible to protect documents from accidental access by removing administrator privileges from a file (yes, I know that administrators can add themselfs to the ACL of a file, but that does require an extra action thus excluding accidental access) My thoughts are that there are two vulnerabilities to this behavior of NAV 1. A virus can protect itself from being scanned by removing administrator read privileges from itself and its copies. 2. The administrator needs read privileges on all files, files therefore cannot be protected from accidental access by administrators. Does anyone have the same experience ? Does anyone know of a virus that uses this technique to hide ? greetings Bone Machine -- "Hey! been trying to meet you" - The Pixies --
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 23:26:00 PDT