Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21459
HistoryMar 12, 2009 - 12:00 a.m.

CTM PowerMail 4.2.1 de Carbon <http://www.ctmdev.com>

2009-03-1200:00:00
vulners.com
14

Title
Multiple Vulnerabilities in iAntiVirus

Program
PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/

Tested version
1.35, Engine Version 1.0.0.10

tested on german Mac OS X 10.5 with following preferences:

  • Scan inside archives ON
  • Scan mode NORMAL
    -ย Heuristics NORMAL

Description

  1. No scan in .sit- and .dmg-archives

    The scan-function and the online-scanner OnGuard doesn't
    scan .sit- and .dmg-archives.

    Impact:
    It's possible to download malware from the internet or
    to copy it from an usb-stick without interruption from
    iAntiVirus.
    Malware in .sit-archives is recognized by OnGuard during
    manuel decompression, but malware in .dmg-diskimages is
    only recognized during a manual scan of the mounted image.
    It's possible to run malware from the mounted diskimage
    (tested with MacSmurf, which iAntiVirus recognizes as
    'Hacktool.OSX.MacSmurf')

  2. Problems with special chars in filenames

    The scanner, OnGuard and the quarantine-management are
    unable to work with files with several special chars in
    it, for example ?, which is transformed to ร†.

    Impact:
    False-positives are lost, since it's impossible to restore
    them. Perhaps it's possible to evade the virus-protection.

  3. No user-restrictions in the quarantine-management

    All quarantined files are managed in the same area. Every
    user can restore the files of every other user, included
    the admin

    Impact:
    A normal user can restore quarantined malware in other
    accounts, tested with the iWorks-Trojan, which was
    installed by the admin and restored by a normal user.
    Additional, the history-function contains no information
    about the user which performs an action and can erased by
    every user.

  4. OnGuard does only protect one user (or perhaps a few more)
    If OnGuard is on and another user logs in, it seems as if
    OnGuard is off. If he copies some malware on the system,
    this disappears without any warning: OnGuard is active and
    moves the files in the quarantine, but doesn't inform the
    user about this. If the first user is an admin, this seems
    to work for every normal user. If the first user is a normal
    user, it sometimes works for the admin as second user, but
    not every time.

  5. Ignorance of file-permissions

    Every normal user can start a "normal scan", which includes
    the system-, library- an program-folders and the folders of
    every user.

Solution
None

Credits
Carsten Eilers

Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html
(also as german version)

Regards
Carsten Eilers