18 November 2007

Norton Security Scan - False Positives

Technorati tags: , , ,

The Norton Security Scan utility is free, and bundled with the Google Pack.  It's an on-demand scanner that looks for malware and risks.

Unfortunately, it detects protective settings applied by Spyware Blaster and similar tools, as being the malware these tools are protecting against. This is a generic type of bug that often arises when tools assume anything other than default is a hostile change, or when overly-loose detection cues are in effect.

Specifically, settings within HKCU's P3P\History that block unwanted cookies, are detected as evidence of malware.  In the case I'm currently working on, only around 5 of over 100 protective entries were detected in this way.

The tool then claims it is unable to fix these problems, which is just as well, as doing so would actually weaken system safety.  The end result is similar to Winfixer et al, i.e. false-positive (actually, reverse-positive) detections plus referral to feeware products if these are to be "fixed" - so one hopes Symantec will fix this sooner rather than later.

The case I'm working on is interesting, as it was brought in because it was slowing down, with malware as the suspected cause.  Formal scanning finds no active malware, and one wonders if the slowdown was the result of installing Google desktop etc., with the false-positive from Norton Security Scan as the red herring.

I'd like to try Norton Security Scan within mOS contexts such as Bart or WinPE CDR boot, but it appears as if the product is available only via Google Pack.  There are no references to it at Symantec's site, and the FAQ doesn't seem to consider "so where can I download this thing?" to be "frequently asked".

SARS Tax Returns vs. Acrobat Reader

Those using the South African Revenue Service (SARS) e-filing facility may find non-default safety settings within Adobe Acrobat Reader get in the way.

How to fix

Most likely you need only enable JavaScript, but when I had to troubleshoot this in the field, I applied all of the following settings...

Run Adobe Acrobat Reader 8.x

Edit menu, Preferences

JavaScript icon, [x] Enable Acrobat JavaScript

Multimedia Trust icon, Trusted Documents radio button, [x] Allow Multimedia Operations

Multimedia Trust icon, Other Documents radio button, [x] Allow Multimedia Operations

Trust Manager icon, [x] Allow Opening of Non-PDF File Attachments with External Applications

...and reversed them for safety when done.

Why use safer settings?

If these non-default settings stop things like SARS e-filing from working, why apply them? 

Because Acrobat files are already being exploited by spam, and a significant safety gap exists between what you think a .PDF is (i.e. a data format that is safe to read) and what it can do (automate your system via JavaScript, launching of other files and code, etc.).

Acrobat Reader is an exploitable surface that has often been patched to "fix" it, and for which unpatched vulnerabilities often exist.  Commercial enterprises have already exploited the by-design safety gap, e.g. by having .PDF documents "call home" when they are read, so that their usage can be tracked. 

So one should keep Acrobat Reader on a very short leash, or use something else to "open" .PDF and other Acrobat file types.