SYM07-019 Symantec vulnerability detection relevant

(imported topic written by BenKus)

Several of our customers asked us about a Symantec vulnerability SYM07-019 (http://www.symantec.com/avcenter/security/Content/2007.07.11f.html) and a couple customers shared with us relevance that detects vulnerable versions of Symantec 10.

Here is the relevance (provided by a customer):

(exists file “rtvscan.exe” whose (version of it > “10.0.0.0” AND version of it < ") of it) of folder ((if (exists value “SAV Install Directory” of it) then (value “SAV Install Directory” of it as string) else if (exists value “SAVCE” of it) then (value “SAVCE” of it as string) else (if (exists value “NAVNT” of it) then (value “NAVNT” of it as string) else if (exists value “NAV” of it) then (value “NAV” of it as string) else if (exists folder (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) whose (exists file “rtvscan.exe” of it)) then (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) else (“Not Installed”))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) AND (exists file “Dec2.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2AMG.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ARJ.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2CAB.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2GZIP.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ID.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2LHA.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2LZ.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2RAR.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2RTF.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2SS.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2TAR.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2Text.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2TNEF.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ZIP.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “DecSDK.dll” whose (version of it does not equal “3.15.3.0”) of it) of (value “Common Client Decomposers” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

BigFix does not officially support this relevance, but we have many customers using Symantec, we thought it would be helpful.

If someone wants to test this relevance or make a Fixlet and post results here, I bet it would help a lot of people.

Ben

(imported comment written by nberger91)

Here’s the relevance for 9.x, hope this works for you !

(exists file “rtvscan.exe” whose (version of it > “9.0.0.338” AND version of it < ") of it) of folder ((if (exists value “SAV Install Directory” of it) then (value “SAV Install Directory” of it as string) else if (exists value “SAVCE” of it) then (value “SAVCE” of it as string) else (if (exists value “NAVNT” of it) then (value “NAVNT” of it as string) else if (exists value “NAV” of it) then (value “NAV” of it as string) else if (exists folder (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) whose (exists file “rtvscan.exe” of it)) then (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) else (“Not Installed”))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) AND (exists file “Dec2.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2AMG.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2ARJ.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2CAB.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2GZIP.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2ID.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2LHA.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2LZ.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2RTF.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2SS.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2TAR.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2Text.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2TNEF.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “Dec2ZIP.dll” whose (version of it does not equal “3.2.14.26”) of it AND exists file “DecSDK.dll” whose (version of it does not equal “3.2.14.26”) of it) of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

(imported comment written by wnolan91)

Ben Kus

Several of our customers asked us about a Symantec vulnerability SYM07-019 (http://www.symantec.com/avcenter/security/Content/2007.07.11f.html) and a couple customers shared with us relevance that detects vulnerable versions of Symantec 10.

Here is the relevance (provided by a customer):
(exists file “rtvscan.exe” whose (version of it > “10.0.0.0” AND version of it < ") of it) of folder ((if (exists value “SAV Install Directory” of it) then (value “SAV Install Directory” of it as string) else if (exists value “SAVCE” of it) then (value “SAVCE” of it as string) else (if (exists value “NAVNT” of it) then (value “NAVNT” of it as string) else if (exists value “NAV” of it) then (value “NAV” of it as string) else if (exists folder (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) whose (exists file “rtvscan.exe” of it)) then (value of variable “ProgramFiles” of environment as string & “\NavNT” as string) else (“Not Installed”))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) AND (exists file “Dec2.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2AMG.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ARJ.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2CAB.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2GZIP.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ID.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2LHA.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2LZ.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2RAR.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2RTF.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2SS.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2TAR.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2Text.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2TNEF.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “Dec2ZIP.dll” whose (version of it does not equal “3.15.3.0”) of it AND exists file “DecSDK.dll” whose (version of it does not equal “3.15.3.0”) of it) of (value “Common Client Decomposers” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

BigFix does not officially support this relevance, but we have many customers using Symantec, we thought it would be helpful.

If someone wants to test this relevance or make a Fixlet and post results here, I bet it would help a lot of people.

Ben

The above works well with the Symantec Decomposer component. However after it is applied the machines come back as failed for about 5 -10 minutes… then changes to Fixed.

My logic for the Action was: (This one failed to copy to the main server and Relays not sure if there is something special for FTP:

download ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.0/updates/Dec3Update10.exe

continue if {(size of it = 1781760 and sha1 of it = “3d2f4dca028af1c280493a769b1e514a7277e15d”) of file “dec3update10.exe” of folder “__Download”}

run “{pathname of client folder of site “BESSupport” & “\RunQuiet.exe”}” __Download\dec3update10.exe /log

I CHANGED it to: (where dbfixletsite.us.db.com is a local IIS Server)

download http://dbfixletsite.us.db.com/downloads/SAV/Dec3Update10.exe

continue if {(size of it = 1781760 and sha1 of it = “3d2f4dca028af1c280493a769b1e514a7277e15d”) of file “dec3update10.exe” of folder “__Download”}

run “{pathname of client folder of site “BESSupport” & “\RunQuiet.exe”}” __Download\dec3update10.exe /log

(imported comment written by BenKus)

Hey wnolan,

You might have better success if you change the “run” to “wait” (or better yet, “waithidden” and remove the “RunQuiet” command).

Ben