Home page logo
/

basics logo Security Basics mailing list archives

SV: Authencity of AV downloads
From: "Anders Lundman" <Anders.Lundman () skb se>
Date: Wed, 10 Mar 2004 10:45:37 +0100

Hi all

With regards to Checking AV files for authenticity. It is possible to check this in McAfee's .zip files. Follow this 
link to info from NAI. 
https://knowledgemap.nai.com/phpclient/viewKDoc.aspx?externalID=KB_nai18653&sliceID=&docID=KC.KB_nai18653&url=kb/kb_nai18653.xml&dialogID=5214837&docType=DOC_KnowledgeBase&iterationID=1

I would imagine that this process can be duplicated by extracting validate.exe and running in directory of choice 
containing McAfee files, 

Regards 

Anders Lundman

"What you do in this world is a matter of no consequence;The question is, what can you make people believe that you 
have done." --Sherlock Holmes in "A Study in Scarlet"



-----Ursprungligt meddelande-----
Från: Raghu Chinthoju [mailto:chraghu_ml () mailcan com] 
Skickat: den 6 mars 2004 21:03
Till: security-basics () securityfocus com
Ämne: Authencity of AV downloads


Hi Group,

I have been looking at the virus definition files distribution mechanism of few of the Antivirus vendors like McAfee, 
Sophos, Symantec, ESafe etc. None of these folks provide any authenticity like MD5 hashes, PGP signatures etc along 
with these downloads, nor these files are encrypted in some form, nor do their sites run any secure web services. The 
files are downloadable from plain HTTP and FTP servers. The same is the case with download of the virus removal tools 
like stinger etc. The sole authenticity of the downloaded stuff depends on "how authentic the domain name to IP 
resolution is" OR "how secure the name services in the path from my PC to the AV vendor are"! In my opinion, it is 
relatively easy to compromise plain DNS. Things can get worse if the AV vendors name server itself is compromised! May 
be I'm not the first to raise this, but how come these AV vendors have not acted upon this (hope I'm not missing any 
thing here)? 

Your thoughts?

Regards,
Raghu

-- 
http://www.fastmail.fm - Same, same, but different...

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault