Symantec AntiVirus RAR archive bypass

1059

06 March 2020

27 April 2005

CLOSED

LOW

SUMMARY

 

A vulnerability has been identified in the Windows version of the Symantec Antivirus component responsible for decomposition of encoded / archived content. The vulnerability causes the decomposer component to crash when a unique RAR file is received for decomposing and scanning. Malicious content placed inside such a configured RAR file can be bypassed and not detected by the initial file scan. The bypassed malicious content does not pose a risk until extracted from the RAR archive file. The malicious content will be detected and eliminated by RealTime Virus Scan / Auto-Protect when it is extracted from the RAR file on systems running Symantec Antivirus.

AFFECTED PRODUCTS

 

Symantec Response
The vulnerability has been traced to a particular component build environment that was in use for a limited period. The vulnerable version affected Microsoft Windows builds only.

Affected Products

Enterprise Products

Product

Vulnerable Build

Fixed Build

Symantec Web Security

3.0.1.72

3.0.1.74

Symantec Mail Security for SMTP

4.0.5.66

4.1.4.30

Symantec AntiVirus Scan Engine

4.3.7.27

4.3.8.29

Symantec SAV/Filter for Domino NT

3.1.1.87

3.1.2.91

Symantec Mail Security for Exchange

4.5.4.743

4.6.1.107

     


Consumer Products

Product

Vulnerable Build

Fixed Build

Symantec Norton AntiVirus 2005

11.0.0

11.0.9

Symantec Norton Internet Security 2005

Contains NAV 11.0.0

Fixed with NAV 11.0.9

Symantec Norton System Works 2005

Contains NAV 11.0.0

Fixed with NAV 11.0.9


Note: Only Symantec products indicated above are potentially vulnerable. All other Symantec products are NOT affected.

MITIGATION

 

Recommendations:
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers, if they are not already running a non-vulnerable product version/build, update their product immediately to protect against these types of threats.

Updates are available either through Symantec's LiveUpdate for those products that have LiveUpdate capability or from the Symantec Support site at http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations impacted by this issue.

ACKNOWLEDGEMENTS

 

Symantec would like to thank André Jerleke a.k.a. Phiberz -- [email protected] for bringing this issue to our attention