eEye Digital Security

My Blink 3.5.8 Vulnerability-Assessment Security Checklist lists vulnerabilities on my machine (WinXP Pro SP2) in the "Symantec Decomposer component" (CVE 2007-3699 &-0447) and "Symantec Decomposer engine" (CVE 2008-0308 & -0309).  (In both cases, I am to "Update the product using LiveUpdate or apply appropriate patch".)  LiveUpdate (and Add & Remove Programs, and my knowledge - for what that is worth) found only Live Update and LiveReg as the Symantec programs on my computer.  I ran LiveUpdate on its own anyway, re-ran Vulnerability Assessment Scan, and, sure enough, the two vulnerabilities are still there.  Removing all removeable drives (one of which is my Back-Up USB Hard Drive) and rescanning did not help.

Does anyone have any ideas?

 Problem with liveupdate is that if you run it from the Control Panel, all that it updates is LiveUpdate, not your products.

 You need to open your Symantec Product (Mail Security, Endpoint, whatever) and click the LiveUpdate link in it.  See:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948 and look at the solution.

I hope this fixes your problem. :)

Just recently got back to this.  The issue is that Blink's Vulnerability Scan finds vulnerabilities (currently, with Blink 4.2.1, these are the above plus CVE-2008-308 and CVE-2008-309, also involving the Symantec Decomposer) which appear to arise from components/programs which are not (as far as I can tell) installed on my computer!  That is, regarding Spunner's phrase, "You need to open your Symantec Product", I have no idea what that "Symantec Product" might be!  Nothing appropriate can be found in LiveUpdate's list, or the Add-or-Remove-Programs list.  I searched C: for "Symantec" and explored every nook and cranny found.  All involved LiveUpdate or LiveReg or were text lists.  I next tried a search on "Norton" and found a folder, "NortonAV" which contained all the pieces of Norton Anti-Virus 2003, which apparently came on my computer hard drive at purchase (as it was in C:\IBMTOOLS\APPS), but which has never been installed.  (I checked the Add-and-Remove-Programs list to be sure, no Norton anything.)

(#1) Apparently, Blink's apparent use of some Norton Anti-Virus components (http://forums.eeye.com/forums/p/631/2671.aspx#2671), does not trigger the appearance of these vulnerabilities in the Blink-Vulnerability-Scan listing or someone would have let us know so in this thread.

(#2) Given (#1), can uninstalled components of Norton Anti-Virus 2003 trigger the appearance of these vulnerabilities in the Blink-Vulnerability-Scan listing?  If so, how can I tell that this is the case in my case?

(#3) If the answer to the first part of (#2) is "yes", it might be nice if a Blink-Vulnerability-Scan list item contained some indication of what it was that triggered the listing of that item.

Thank you for your time, it is much appreciated.

Is there any chance that you might of had a Symantec product installed on your system in the past?

Not to my knowledge.  It was several computers ago that I had Norton AntiVirus & Utilities.  LiveUpdate seems to have come with this computer (in 2003).  I have installed technical programs (e.g., MathCad, TableCurve) that conceivably might have non-obvious Symantec components in them unknown to me.  But no component-like items showed up in the two searches mentioned above except for two separate “norton.dll” files in separate Lenovo\local\collect folders within separate subfolders of C:\Program Files.  Searches of the Registry for Norton, and for Symantec did not show any link to applications other than LiveUpdate and LiveReg -- to my untrained eye.  A Registry search for Decomposer gave nothing.  Perhaps I need to raise this issue with Lenovo since anything Symantec on my computer seems to have come via OEM, as far as I can tell.


Any other suggestions will be appreciated.


Again, it would seem to be a good idea for future eEye Blink users to be able to find out, in what appears to be difficult cases like this, someway, somehow, what it was that triggered the listing of a particular vulnerability item in the vulnerability listing.

I think I can help, rhkohl.

1. Run the Norton Removal Tool from http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039  It is pretty effective at removing remaining traces of Norton/Symantec software.  It is often as embedded as a rootkit.
   
2. Use a registry cleaner like CCleaner - after using the removal tool and restarting.
   
3. I have seen such software creep onto machines from several sources: a small partition in the drive from the factory, virus scan at the OEM/retailer or someone who serviced your computer.  Whenever I buy a new drive, or do a clean install, I wipe the drive completely with DBAN first to make sure I am starting from bare metal with no legacy issues or factory partitions.  For example, Vista laptops from Acer now come with 5 partitions, of which only the C and D (recovery) logical drives are visible to the user.

Ziad,

I have been busy and just got to this once again.  Your suggestion worked like a charm!!!

For those who do this:
+ All the leads on the Symantec webpage lead to the same Norton Removal Tool.   They just lead, first, to different ways to "save your product key".
+ I had a terrible time getting the Removal Tool to proceed to its first window.  After starting it, my firewall asked for permission to let it go out on the internet, which I allowed, but then the Removal process just sat for 10 minutes with 0% CPU usage.  I  gave it permanent permission to go out on the internet, but every try at starting it gave the same behavior (and you had to reboot for every new try as just ending the process would not let a new start take place).  I got so I did other things while waiting for the Removal process to continue, and once accidently started an installation process on another piece of software, but that seemed to jostle the Removal process out of its somnolence, and it brought up its first window.  From then on it was smooth sailing.  I used CCleaner 2.16 for the registry cleaning.