Friday, August 31, 2007

Symantec says Verboten!

cc image credit: Jeremy Botter, flickr

The other day we were issued new "secure" USB flash drives at work.

These are 8-GB'er's and far outstrip the two 512 MB Sony sticks I had been wearing like dog-tags. It is also double my own Seagate "hockey-puck" 4-GB'er that I carry in reserve.

Needless to say, when the boss passed these out, we all scampered back to our cubicles like rats with cheese and went to work copying our data over to them.

I've been using DSynchronize (freeware) for some time now to keep my primary pile of utilities on my work machine sync'ed with my USB stick. This allows me to focus on updating the files on my work-machine current, then I can do a one-way sync to my USB stick to refresh it.

So there I am, syncing the files and suddenly my enterprise-class Symantec AV program goes ape-in-heat and starts tossing up virus/trojan/malware file quarantine warnings all over the place.

WTF!!!???!!!

Malware? There ain't no malware on my machines!

When the carnage subsided and the rest of my files were sync'ed I went back to look at what had occurred.

Ouch! Smacked by Symantec...

I came to find out that Symantec has decided to classify some wonderful, legitimate utilities as "hack-tools" or "potentially unwanted products (PUPS)" or just plain "malware".

Because of the way we have our Symantec deployments compartmentalized in our enterprise environment, we don't have much say in the Symantec policy settings. We are responsible to install the Symantec client on workstations, make sure the DAT files are getting applied across our workstations, and then go clean the buggers when they get infected anyway.

My network analyst and I tried to fiddle with the settings in Symantec Console to allow some of these but it appears it would need to be set globally, which we both don't want to do. I just want to have my network/anti-malware utilities and be able to use them un-accosted by Symantec. In our previous version of Symantec, I could turn off and change the settings on my AV client so it could "ignore" some programs, this latest version doesn't allow me that privilege.

(Sigh)

The List

So here are links to the applications that I now cannot keep on my USB or hard-drive at work, lest Symantec goes ape and my workstation is flagged again on the Console for being "infected" with these terrible programs.

SuperScan4 - Foundstone, Inc. (freeware) A great network IP/port scanning utility. (It has been crippled somewhat now since raw-sockets support got pulled from XP in SP2, but works fine in Windows 2000.)

HotBar Uninstall Program - HbUnist.exe - I like using this tool from HotBar to uninstall their own program when I find in on our machines at work. It is pretty effective.

Angry IP scanner - (freeware) - IP and port scanner program for analyzing networks with NetBIOS information support. (Rated #51 in Insecure.org's Top 100 Network Security Tools, BTW.)

I'm sure these aren't the only ones Symantec has black-listed. For now, both of these freeware utilities Advanced IP Scanner and Advanced Port Scanner are getting a "pass" from Symantec so I can do network IP/port scans for troubleshooting and network connection reviews.

A Problem worth a Petition?

The development team for Angry IP Scanner is so fed-up they have created an on-line petition to fuss at Symantec and McAfee for their classification against it:

Angry IP Scanner Listed As Malware Petition

I understand and concede the direction Symantec and others are coming from when they make this call, most enterprise groups DON'T want folks running IP/port scans or having anything associated with HotBar in their networks. However, when the door gets shut on utilities that the very staff who help service and protect those networks use, well...that's not cricket.

I'm going to continue working with my analyst buddy and see what we can work out in the configuration department. I remain hopeful of a workaround...which is kinda scary. IT staff having to work-around an IT security solution to keep things safe.

Oh, well...

--Claus

2 comments:

Anonymous said...

Not sure if it will work for you in your environment but I'll volunteer what we've done in ours.

Our enterprise AV is set up for centralized reporting with decentralized administration. In other words, the C_O levels can see everyone's details but the different divisions can see only their own relevant reports. For administration, the divisions are able to manage their settings independently (above the required baselines) but the top level still has override capability in times of crisis. Hope this makes sense so far.

Now, for our division, we are able to handle exceptions to our AV configurations that don't affect any other division.

However, we still don't want to set a global exception for something like an IP scanner that would allow every one of our users (or every malware thing that bundles a scanner) to run it.

Our approach is to only allow the exceptions for trusted IT workstations or laptops, but for your removable drive scenario you could coordinate a temporary exception if you needed a restricted utility on a non-IT workstation.

Anyway, hope this helps you or someone else and please keep posting on your progress of the situation.

Cheers,
Steve

Anonymous said...

Great tips Steve,

I'll share this with my network analyst and see if this can work in our configuration.

Thanks for taking the time to share!

I'll do and update post if we figure out a "workaround" for our situation.

--Claus