Vunerability in eTrustT EZ Antivirus - All Versions Except 7.x

  • Thread starter Thread starter gilbert grape
  • Start date Start date
From CAI's web site....
Vulnerability Information:

Computer Associates Int'l., Inc. has confirmed the presence of a Medium-Risk vulnerability
that affects the ability of eTrust EZ Antivirus to properly filter specially formatted .ZIP
files.

This vulnerability affects our decompression engine (Arclib.dll) which is embedded into the
following supported versions of eTrust EZ Antivirus and eTrust EZ Armor:

eTrust EZ Antivirus r6.1
eTrust EZ Antivirus r6.2
eTrust EZ Antivirus r6.3
eTrust EZ Armor r2
eTrust EZ Armor r2.3
eTrust EZ Armor r2.4

This vulnerability exists due to problems with the parsing of ZIP file format headers. The
file format for ZIP files specifies a both Local and a Global header. The Local Header is
in the beginning of the ZIP file and is before the compressed data and the Global Header is
att the end of the file. A specially crafted exploit can change the uncompressed file to a
size of zero in the ZIP header thus allowing it to bypass the scannera of some antivirus
software.

I received a document that indicates that McAfee also suffers from the same vulnerability as
Computer Associates eTrust but Trend and Symantec products are not vulnerable to this
exploit.

The following is my understanding for McAfee:
McAfee DAT v4397 provided an early protection for the exploit targeted specifically for
Gateway and Command Line Scans. McAfee DAT v4398 will flag a ZIP file using this exploit as
"Exploit-Zip Trojan".

Dave





| EZ Antivirus users should check this page:
|
| http://crm.my-etrust.com/CIDocument.asp?KDId=2221&GUID=2466D695F1A64894B7F4A
| 94A727205BE
|
|
| (Careful of any link wrap)
|
|
|
 
gilbert grape said:
EZ Antivirus users should check this page:
Click to expand...

........I just downloaded 7 and when I tried to install I get an error saying
WS2_32.dll not found. I've been trying manually to get rid of spyware and
may have axed this file - or it's used by the spyware - don't know - this
message always comes up when I open IE but hasn't hampered anything that I
know of. Then I get

Error executing the specified program
C:\windows\temp\pftA310~temp\setup.exe
click close then get
Unable to execute the specified command line

There is no folder named as such above on my 'puter. I do have a pft
8035~tmp which contains EZ files from this year's resubscription. Can I
just axe the contents of the temp folder and retry?

.......Still on Win95b.......and getting more computer illiterate by the
day.... :-( I plan on downloading Spybot and others, but browsing has
become so slow I had to get rid of some of the parasites first. Thought I'd
update the anti-virus first.......sigh

thanks for any help
buglady
take out the dog before replying
 
.......I just downloaded 7 and when I tried to install I
get an error saying WS2_32.dll not found. I've been trying
manually to get rid of spyware and may have axed this file
- or it's used by the spyware - don't know - this message
always comes up when I open IE but hasn't hampered anything
that I know of. Then I get

Error executing the specified program
C:\windows\temp\pftA310~temp\setup.exe
click close then get
Unable to execute the specified command line

There is no folder named as such above on my 'puter. I do
have a pft 8035~tmp which contains EZ files from this
year's resubscription. Can I just axe the contents of the
temp folder and retry?

......Still on Win95b.......and getting more computer
illiterate by the day.... :-( I plan on downloading
Spybot and others, but browsing has become so slow I had to
get rid of some of the parasites first. Thought I'd update
the anti-virus first.......sigh

thanks for any help
buglady
take out the dog before replying
Click to expand...
Guessing by a filename is dangerous. Having said that, WS_32.DLL
is M$'s
Windows Socket 2.0 32-Bit DLL

OT: Dump IE, a decent browser. Firefox,for example, runs on W95b
just fine.

J
 
OT: Dump IE, a decent browser. Firefox,for example, runs on W95b
just fine.
Click to expand...

............Yeah, I've considered that. But until I get this stuff
straightened out, I'm not downloading anything extra.

buglady
take out the dog before replying
 
(e-mail address removed) wrote in
.......I just downloaded 7 and when I tried to install I
get an error saying WS2_32.dll not found. I've been trying
manually to get rid of spyware and may have axed this file
- or it's used by the spyware - don't know - this message
always comes up when I open IE but hasn't hampered anything
that I know of. Then I get
Click to expand...
[snip]
......Still on Win95b.......and getting more computer
illiterate by the day.... :-( I plan on downloading
Spybot and others, but browsing has become so slow I had to
get rid of some of the parasites first. Thought I'd update
the anti-virus first.......sigh
Click to expand...
Guessing by a filename is dangerous. Having said that, WS_32.DLL
is M$'s
Windows Socket 2.0 32-Bit DLL
Click to expand...

My memory is a bit hazy. Did Win95B even have Winsock2? I'm pretty sure
Win95C came with it and Win95A did not have it, but I don't remember
whether the B version did or did not come with it. If not, the OP can
download a patch for Win95 that will install it. Watch out for wordwrap....


http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetw
orkingTools/W95Sockets2/Default.asp
 
buglady said:
...........Yeah, I've considered that. But until I get this stuff
straightened out, I'm not downloading anything extra.

buglady
take out the dog before replying
Click to expand...

normally Win 95b is used on older computers. so you might try K-meleon
(small footprint program) instead of Firefox, but i dunno how full
featured it is. i plan to try it on one of my older machines.

i'm happy with Firefox and IE. i use Amaya or Dillo if i visit a site
that might be risky.

it may be that 95b is missing that DLL and you can just add it. or do a
winsock upgrade.

michael
 
Rick said:
My memory is a bit hazy. Did Win95B even have Winsock2? I'm pretty sure
Win95C came with it and Win95A did not have it, but I don't remember
whether the B version did or did not come with it. If not, the OP can
download a patch for Win95 that will install it. Watch out for wordwrap....
Click to expand...

if buglady has time/resources, she might just install Win 98 FE or SE.
i use First Edition on an old Pentium, in addition to linux. the only
downside is finding a reasonably-priced copy of 98.

michael
 
gilbert grape said:
EZ Antivirus users should check this page:

http://crm.my-etrust.com/CIDocument.asp?KDId=2221&GUID=2466D695F1A64894B7F4A
94A727205BE
Click to expand...

Worth mentioning that this vulnerability is also in software from McAfee,
Kaspersky, Sophos, Eset and RAV. If you run any products by these companies
then be looking for an update.

The vulnerability essentially is that these products ignore file attachments
with a zero file size and it's possible to modify the uncompressed size of a
zip archive to appear as zero so the file will be ignored and passed on.
Also worth noting, if you use your AV software to run a blocked extension
list I think that this will be ignored also (I haven't checked this so I may
be wrong).

AndyMac.
 
Gnome de Plume said:
if buglady has time/resources, she might just install Win 98 FE or SE.
i use First Edition on an old Pentium, in addition to linux. the only
downside is finding a reasonably-priced copy of 98.
Click to expand...

..........Actually, errr, uhmmmm, there's a copy of Win98SE that's been
sitting on my shelf for oh, say 4 years! I guess I could just do that
first, but I wasn't sure it would totally solve the winsock problems and I
sort of wanted to get rid of the garbage first before installing it as I
didn't know if it would affect the install. Is this wrongheaded thinking?

This is getting pretty far afield from a virus question, so I'll stop here
and say thanks to all.

buglady
take out the dog before replying
 
normally Win 95b is used on older computers.
Click to expand...
.......;yeah, it's older - 7 years old!

so you might try K-meleon
(small footprint program) instead of Firefox, but i dunno how full
featured it is. i plan to try it on one of my older machines.
Click to expand...

.........do you have a website for that please?
i'm happy with Firefox and IE. i use Amaya or Dillo if i visit a site
that might be risky.

it may be that 95b is missing that DLL and you can just add it. or do a
winsock upgrade.
Click to expand...

.......I thought I had done the winsock2 upgrade, but reinstalled it again
JIC and I got the missing dll back -yippee!
thank you
buglady
take out the dog before replying
 
i have already upgraged to version 7, computer associates has done an
excellent job once again, you simply must try this av program.

marc
 
I must admit that I took the easy way out and just replaced the dll file in
question. I am using version 6.1.4.0 and have read several negative
comments about later versions. I'll just sit tight with the updated dll
until things settle out.
 
buglady said:
.........Actually, errr, uhmmmm, there's a copy of Win98SE that's been
sitting on my shelf for oh, say 4 years! I guess I could just do that
first, but I wasn't sure it would totally solve the winsock problems and I
sort of wanted to get rid of the garbage first before installing it as I
didn't know if it would affect the install. Is this wrongheaded thinking?

This is getting pretty far afield from a virus question, so I'll stop here
and say thanks to all.
Click to expand...

My recomendation is always to wipe off the old operating system before a new
install, just to avoid any problems with garbge surviving. Of course that
means you have archive your personal data off the computer first, and you
have to re-install all the apps, but this is a small price to pay for a
trustworthy install.

-- Graham
 
Graham said:
My recomendation is always to wipe off the old operating system before a new
install, just to avoid any problems with garbge surviving. Of course that
means you have archive your personal data off the computer first, and you
have to re-install all the apps, but this is a small price to pay for a
trustworthy install.
Click to expand...

..........Thanks! I tried to reinstall the EZ 7 and now it says I need
RichEdit3. I have a feeling they're no longer dealing with Win95. Think
I'll just install the .dll file for now

buglady
take out the dog before replying
 
buglady said:
.........Thanks! I tried to reinstall the EZ 7 and now it says I need
RichEdit3. I have a feeling they're no longer dealing with Win95. Think
I'll just install the .dll file for now
Click to expand...

I thought you were going to install W98SE !!

-- Graham
 
i concur with this school of thought, just did this myself and upgraded to
ez antivirus version r7. everything works flawlessly once again.

marc
 
buglady said:
......Still on Win95b.......and getting more computer illiterate by the
day.... :-(
Click to expand...

Upgrade to Windows ME at least and you'll see a big difference -
especially in the speed of defragmenting. Windows 98 was S-L-O-W, and
that was after your version. You'll also be able to use the small USB
drives which are very handy for moving files to another computer.

Netuser 58
 
Upgrade to Windows ME at least and you'll see a big difference -
especially in the speed of defragmenting. Windows 98 was S-L-O-W,
and that was after your version. You'll also be able to use the
small USB drives which are very handy for moving files to another
computer.
Click to expand...

You can use them on Win98 as well; you just have to install a driver.
 
Back
Top