
Symantec's Bad Week - ontoillogical
http://blog.appcanary.com/2016/vikhal-symantec.html
======
Animats
We need ways to run "antivirus" software with fewer privileges. One way to do
this is what some DoD high-security systems call "guards" and "sanitizers".
When files come in from the outside, they're diverted to a jail, where
something has to examine them and decide whether they can get through, and
what changes have to be made to them. The guard and sanitization software runs
jailed or on a separate machine - it has few privileges. All it can do is look
at files and say yes or no, or remove something from the file.

There's a need for a division of labor here. The downloading function in a
browser shouldn't be allowed to look at the contents. The guard/sanitizer
function shouldn't be allowed to do anything other than say yes or no, or
modify the downloaded file. After processing each file, the guard/sanitizer
function is flushed and reloaded, so that if it was corrupted, it can't affect
other files.

~~~
acdha
Before going that far, we need a more effective way to get the vendors to
care.

Symantec could have chosen to ship only the minimal filesystem interface code
in the kernel and run the huge, complex inspection code in an isolated low-
privilege thread, just like the Windows NT guides recommended in 1993.

Symantec could have performed basic diligence and updated their dependencies
when security updates were released.

Symantec could have followed recommended practice for code auditing, fuzzing,
etc.

In each case they chose not to spend the money it'd take to be minimally
competent, correctly realizing that most of their customers will never check
and are unlikely to change their buying habits. Based on my experience running
their enterprise management tools and dealing with their support, I'm pretty
sure someone just made the business decision not to spend the money because
most of their customers have audit requirements to buy something and nobody
else in the industry is significantly better.

~~~
sathackr
There's always a better way to do things.

The problem is selling that better way.

If they had done things the way you say, their price point would have been
higher, while everyone else who didn't do it is lower.

I've been in many budget meetings where Product X does A, and Product Y does A
too. Both products let you put a check in the audit box. Product Y is 20%
cheaper than Product X. Without a glaring fault in Product Y, nobody will
spend the extra money for Product X.

The audit question is often worded: Is a centrally managed antivirus product
installed on every PC? Are the definitions for the product kept up-to-date?
Good! Pay us for verifying that(among other similarly useless questions) and
here's your SAS70/SSAE16/SOC1 papers.

Customer says "are you audited? can I see your papers? Good. " \-- due
diligence is considered done.

The people performing the audits rarely have a clue other than knowing that
there's supposed to be a check in that box.

It's all a game of CYA and security theater, with very little real security
being practiced.

~~~
acdha
> If they had done things the way you say, their price point would have been
> higher, while everyone else who didn't do it is lower.

This statement is too strong unless they're currently running on a razor-thin
profit margin and have cut every other possible source of waste in the
company. We're talking about a company with 6+ billion dollars in revenue
hiring a modest number of good security engineers – even if they paid them
twice the industry rate, it seems unlikely that it'd need to affect the price
at all, especially when you consider the long-term reduction in emergency
patch releases.

You're right that it's usually theater but consider how different it could be
if security really was top priority. A major vendor could turn it into a
selling point by publicizing the spotlight on gaps in audit standards. All
they'd need would be one big shift – finance, health care, .gov, etc. – and
it'd suddenly be a selling point for them for a product release cycle in
addition to being the right thing to do for their customers.

~~~
loup-vaillant
> _This statement is too strong unless they 're currently running on a razor-
> thin profit margin and have cut every other possible source of waste in the
> company._

These days, Profit margins tend to be _maximised_. If they can make a little
more profit by cutting a little more corners, they will probably do it. It
takes some ethics not to maximize profits at the expense of everything else.

If you want better security, you'll have to find a way to make it more
profitable for them —if not as an individual, as a community, or even as a
society. If better products aren't more profitable, you'll inevitably end up
with lemons.

The other path, questioning the profits paradigm altogether, is not easy.

~~~
acdha
Agreed - I don't know whether that will be insurance requirements, regulators,
etc. but we have little reason to think simple market forces will work better
in the future.

------
joeyrideout
I love the (military, not Zombieland) "double tap" nomenclature for follow-up
phishing emails that pretend to be warnings about recent phishing emails. It's
a pattern in social engineering that I've seen used a bunch, particularly in
"vishing" phone calls [1], but never had a good buzzword for until now.

[1] [https://youtu.be/h8kWcggio5A](https://youtu.be/h8kWcggio5A)

------
justinlardinois
Is there any reason for a Windows user to use anything other than Microsoft
Security Essentials (or Defender as it's been called since Windows 8)? It's
free and everything I've seen and read indicates it works just as well if not
better than commercial antivirus suites.

~~~
technion
It doesn't satisfy my auditors. Who can't seem to explain why ("it's not on
the list of boxes I can tick"), other than to direct us to the big four of
McAfee/Sophos/Kaspersky/Symantec.

~~~
reitanqild
Also some versions of ssl vpns scan your computer and I'm not sure if all of
them accept the built in MS antivirus.

(Protip: run such connections in a VM. This has a number of benefits:

* when they require a full scan it takes next to no time as the vm is almost empty

* when they cut off the rest of your network except for their site you can still reach google or your company server in the host machine.

* who honestly wants to run all those weird drivers on their day-to-day dev or sysadmin machine?

)

------
DCoder
From SecurityWeek's writeup on the same topic [1]:

 _No interaction is required to trigger the exploit. In fact, when Ormandy
sent his PoC to Symantec, the security firm’s mail server crashed after its
product unpacked the file._

[1]: [http://www.securityweek.com/critical-vulnerability-
symantec-...](http://www.securityweek.com/critical-vulnerability-symantec-av-
engine-can-be-exploited-sending-email)

~~~
ontoillogical
The source for that detail is here: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=82...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=820#c1)

> I think Symantec's mail server guessed the password "infected" and crashed
> (this password is commonly used among antivirus vendors to exchange
> samples), because they asked if they had missed a report I sent.

> They had missed the report, so I sent it again with a randomly generated
> password.

I'm not 100% sure I buy it. The follow up comment is about how he had
mistakenly sent them a wrong testcase, and he had sent them similar exploits
in a zip with the password infected before (see
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=81...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=810) from April 28th).

It would be incredible for Symantec to guess the password "infected" for ZIP
files. It's possible though!

~~~
jwcrux
"infected" is the industry standard. IIRC (could be making this up) gmail
knows to try "infected" in password protected zips.

~~~
ontoillogical
Yeah I'm just surprised it's going to be scanning zips with the industry
standard malware password for ... malware.

~~~
chipperyman573
If it didn't, malware devs could just send malware zipped in a password
protected folder with that password and tell users to enter that password to
unzip.

------
a_small_island
>"These vulnerabilities reminded me of phishing and the Double Tap for two
reasons. First, every one of these vulns can be exploited by just sending an
email. Since the product is an antivirus, so it’s going to scan every file
that touches your disk and every email you get for viruses. You don’t have to
get your target to click a link or even open the message you sent — Symantec
will happily try to parse every email you receive."

Another reason not to run any "antivirus" on your personal PC

~~~
Too
Wow. I've always been very against anti virus but never actually thought of
this aspect. The anti virus itself is a huge attack surface, probably with
higher risk than the risks it can mitigate. Sigh.

------
doodpants
So, do the "stop what you're doing and upgrade" links in the article actually
go to Symantec's site, or are they phishing links? Because that would be a
perfect example of the type of highly effective phishing the article is
talking about.

~~~
ry_ry
My finger hovered over the reply button for a second as I weighed up the
possibility that HN was part of an elaborate long-game attack vector!

------
sjclemmy
For anyone who doesn't know the title is a pun on
[https://en.m.wikipedia.org/wiki/PiHKAL](https://en.m.wikipedia.org/wiki/PiHKAL)

~~~
deckar01
Next thing you know they will be self administering their own 0-day exploits.

------
0xdeadbeefbabe
Footnote 1 _is_ very interesting (and so is the rest of the post):

> You know, it’s interesting that before I became the CEO of a startup, the
> only time I thought about “conversion rates” of emails in my career was when
> I was involved in phishing campaigns.

Edit: It's interesting to me that phishers are evil bad etc., and yet more
interested in responding well to the rhetorical situation than people with
careers.

~~~
joeyrideout
Perhaps malware vendors will soon begin content-marketing to increase
engagement with their target markets!

~~~
basicplus2
Symantec has been doing that very successfully it seems

------
walrus01
fixed that:

"tl;dr: If you use software with “Symantec” or “Norton” somewhere in its name,
stop what you’re doing and remove it completely."

------
droopyEyelids
I think everyone is confused because they don't understand Symantec's business
model.

They're primarily a rent-collecting entity that leverages the requirements of
regulating industries like PCI as a way to tax businesses.

That why all these simple logical steps to make their product better aren't
(and won't be) implemented.

