mailing list archives
RE: Vulnerability in Symantec Anti Virus Corporate Edition v9.x
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Wed, 31 Aug 2005 20:13:59 -0400
Don't allow authenticated access to the LiveUpdate repository. If you allow
read-only anonymous access to the LiveUpdate respository, clients won't need
to store or use credentials. If they don't use credentials the logging issue
If you use that method you also don't have to worry about whether the
Settings.LiveUpdate encrypts the saved credentials well enough (because
there won't be any credentials in there).
You would probably have to change both the clients and the server - clients
configured to authenticate may fail to access the anonymous repository.
Anonymous read-only access to LiveUpdate files is often OK because they are
publicly available files. The downside is that anyone can take a look at the
state of your LiveUpdate files and might use version or product information
against you in some way.
- RE: Vulnerability in Symantec Anti Virus Corporate Edition v9.x James C Slora Jr (Sep 01)