(02/12/2001) – You just finished securing 10 executives’ laptops with personal firewalls, pleasing your boss. Now he wants you to secure the corporate workstations – all 500 of them across multiple domains and in three cities, two of which are on the opposite coast. At least he finally realized the corporate firewall doesn’t protect mobile users, telecommuters, branch offices, or internal users from one another – where about half of all security breaches occur.
Before you cancel your summer vacation plans, try Symantec Corp. Specifically, Symantec’s Desktop Firewall 2.0.
Symantec broke all speed records in upgrading last year’s firewall for its first corporate offering. It’s using the same engine as in Norton Personal Firewall 2000 and Internet Security, but has completely changed how one deploys, configures and maintains the firewall within the firm – for which it is well suited.
After you install the software, you can tighten security by modifying the firewall’s rule set and distribute the rules throughout the organization: Enter the Rule Set Packager Tool.
First, the tool creates a rule set on a client installation of your choice. This becomes your reference system. After the rule set you’ve created fits the needs of your organization, the tool creates a self-extracting executable program to update client machines. You can also use it to create a *.reg file that contains the rules in a readable format.
Distributing the executable file can be done in several ways, including as a linked download from the corporate Web site, via e-mail, or through a logon script. As the rule set installs itself on the client, it overwrites all previous rule sets, including those created by the user.
Unfortunately, this feature creates two potentially serious flaws. First, a hacker can create a rule set with a gaping hole, then e-mail it to people within the organization. Second, there is nothing that prevents your savvy users from modifying the rule set to access their favorite sports network – and breaching the firewall in the process.
Symantec officials say they are addressing this issue in response to customer concerns and should have a more secure means of updating the rule sets with the next release. It’s our guess they’ll employ digitally signed updates. Until then, we suggest using logon scripts to refresh the rule sets daily. We would also set the server to force logoffs overnight, thereby ensuring that a fresh logon takes place in the morning. While these actions won’t plug the hole, they will minimize the frequency at which breaches might occur.
The fun part of security product reviews is getting to unload an arsenal of tools that test the mettle of the product. With Desktop Firewall in our sights, we were ready to attack.
It passed Gibson Research’s Leak Test, which tests for the firewall’s protection against Trojan horses, as well as Gibson’s Shield’s Up, which checks for open ports and undesirable shares related to Windows.
We then attacked with a significantly more serious tool: Internet Security Systems’ Internet Security Scanner, Version 6.1, which performs as many as 768 checks, including 16 denial-of-service attacks designed to bring any unprotected machine to its knees. Despite our best efforts, Desktop Firewall remained standing.
Menu of install options
We were equally impressed with the number of installation options Symantec offers. If you count the old-fashioned method of sharing the CD-ROM, Desktop Firewall offers six install options. The product supports Microsoft’s Internet Information Server (IIS) Versions 4.0 and 5.0 and Apache’s HTTP Server Version 1.3.12 or higher. It also supports NetWare and Windows NT logon scripts, as well as Microsoft’s SMS. If you’d prefer to set up a network installation on your file server, Symantec has that covered, too.
The documentation was simply the best. Copying the client installation files to the Web server was a simple, three-step process: create a folder, insert the CD-ROM and copy three folders from the CD-ROM to the server. Configuring the Web
server is nearly as straightforward, although slightly different for Apache than for IIS. To set the server name and virtual directory, we edited the startnt.htm or start9x.htm files.
Installation can be interactive (bother the user) or silent (user has no idea). To do a silent installation or a basic user interface install (with a progress bar), you’ll need to modify the appropriate *.ini file, depending on the client operating system.
Although configuring Desktop Firewall for installation via NetWare and NT logon scripts is a little more involved, Symantec has provided an interactive, graphical user interface configuration tool for making the necessary changes to the logon scripts.
There was a lack of information about SMS installations, but Symantec provides two package definition files, one for SMS 1.2 or earlier, and one for SMS 2.0 or later.
Desktop Firewall is a well-designed and documented program that’s impervious to everything we could throw at it. We’re still concerned with the two rule set security flaws, so make sure you check with Symantec before you buy. With those patches in place this product will let you protect those 500 workstations, and you can leave for vacation.
Janss is the president of Jansys Information Systems, a consulting firm specializing in IS technologies for small businesses. He can be reached at [email protected]
Prices listed are in Cdn currency.
First, one of the bugs was planted on a computer with Windows 98. Then all the antivirus programs were installed, one after the other, in their latest versions, including all updates. Then, the next bug was planted and we repeated the tests. We started a fresh Windows 98 installation every time before installing the bugs and antivirus programs.
The result was crushing: Although all programs detected Pretty_Park and Subseven, nearly all of the programs ruined the computer. After cleaning out the bugs, either no .exe file could be executed again or the system crashed. Only AntiVir was able to remove Pretty_Park and leave the computer system running without failure afterwards.
AntiVir was the only program pointing the user exemplary to the dangers and special features of that worm, in addition to removing it completely. However, AntiVir failed to clean out Subseven, and it also left the computer ruined after trying. The same thing happened when we tested all the other antivirus programs.
Anyhow, Sophos referred to a phone support by a screen message if further help was needed.
So if your computer is infected, you will have a serious problem cleaning it up. Most antivirus programs misled the user by giving hints and comments that the user should do this and that. If the user follows these instructions, he is led directly into a catastrophic situation where no programs can be started at all.
Even an emergency floppy with a protection program to restart the system didn’t work in this case. Every single program on the floppy deleted the parasites from the system, but none of the programs working under DOS or Linux operating systems could restore the registry. As a result, the computer could be started, but no program could be executed again.
Shocked by this bad result, we confronted the developers. We asked the programmers and virus researchers for exact and current information. Their excuses were almost more surprising than the bad behavior of the programs.
Most of them were not surprised by our test results, but protested against the testing method itself. They are offering tools on their Web sites that can solve these problems, they said.
The vendors may know about the tools on their Web sites, but the user, who has every right to expect complete protection from the antivirus developers, doesn’t. If a backdoor virus program is already running in the background on your computer, and the whole world can access your system, it’s very dangerous to go online to seek and download special tools. When you start trying to clean the computer, it is too late. Your computer is already open to hackers.
Some manufacturers say that they are working on developing an antivirus program that does a complete cleaning of systems, including the registry, but it still takes some time.
In our point of view, this task should not be too difficult. Thus, we do not understand why months and years should be needed. Furthermore, when running an antivirus program, the user should initially be informed about the peculiarities of the virus and not be encouraged to clean the virus. This would serve the user better. The virus would still be active, of course, but other emergency arrangements can be taken, since at least the system is not dead.
Another excuse was that Subseven is a backdoor program. So it is not a virus but a Trojan horse. The manufacturers sell antivirus programs, not anti-Trojan or anti-backdoor programs, they said.
Such technical sophistication scorn the user who often pays 50 to 100 marks for an antivirus program which certainly tries to detect and clean out bugs that are not exactly viruses. If the program tries but fails to accomplish this task, how can the manufacturer say that it’s not their business?
A few years ago, there were similar problems with viruses like W95/CIH.1003. Most antivirus programs detected the virus within a few days, but until today, only very few antivirus programs achieved a complete removal. To update the program to detect the virus in the memory, the developers needed from a month up to several years. Thus changes in the antivirus program only benefited some users.
What You Can Do
We have compiled a list of links to the developers of the antivirus programs that seemed to work best.
We recommend the special cleaning program from Norton Anti Virus for removal of the Pretty_Park worm, because it is easiest to use and removes the worm even from the memory. If Subseven or Pretty_Park has infected your system, you are recommended to download a .reg file from McAfee’s home page and then execute it. This repairs your registry, and you can start .exe files again.
Pretty_Park worm ( http://www.avp.ch/avpve/worms/ppark.stm)
No information about Subseven backdoor available.
General virus information ( http://www.antivir.de/vireninfo/index.htm)
No further information available, because the link to the corresponding descriptions is deactivated at the moment.
Subseven backdoor ( http://vil.nai.com/villib/dispvirus.asp?virus_k=10171)
Pretty Park worm ( http://vil.nai.com/villib/dispvirus.asp?virus_k=10175
Here you can download the file UNDO.ZIP which includes a repaired version of the registry ( http://download.nai.com/products/Mcafee-Avert/undo.zip).
Instructions: Unpack the file, and then start the attached file with the ending .reg (double click on the explorer). Click “Yes” to repair the registry so that you can execute .exe programs again.
Norman Virus Control:
Home page ( http://www.norman.com)
No further information available.
Norton Anti Virus:
Program to remove the Pretty_Park worm
Instructions: Unpack the file in a temporary directory and start it. The worm will be removed from the memory and hard drive, and the registry will be repaired. Thereafter, the computer should be rebooted and the system should be checked by a virus program again.
Instructions for this program can be found at
Subseven backdoor ( http://www.sophos.com/virusinfo/analyses/trojsubseven.html)
Pretty_Park worm ( http://www.sophos.com/virusinfo/analyses/w32pretty.html)
Batch file pretty.bat to remove the Pretty_Park worm
Instructions: Execute the program on a infected computer (if possible not in a DOS window but under plain DOS mode) and restart the system.
The original text in German can be found at http://www.pcwelt.de/content/artikel/artvirus/200008kapitulation31072000001.
Prices listed are in US currency.