Sircam virus eludes Symantec anti-virus scanning update
- — 30 July, 2001 08:00
The Sircam computer virus eluded Symantec Corp.'s corporate and consumer Norton Anti-Virus products, because the first software update Symantec created to combat Sircam failed to detect the virus through e-mail scanning at the gateway and desktop.
First noticed as an e-mail-borne virus July 17, Sircam can potentially wipe out files and cause other damage if a victim opens the infected attachment.
Although Symantec's first e-mail scanning defense for Sircam on July 17 didn't flag the virus appropriately, Symantec asserts that users weren't completely defenseless. That's because Symantec's Norton Anti-Virus has a kind of second-tier protection called "Auto-protect" which Symantec says was able to detect and warn against Sircam as the user sought to open the Sircam-infected attachment.
Anti-virus software typically needs to be updated every time a new virus is discovered so that the software can recognize the virus and flag it. Symantec this week began hearing from concerned customers that its first line of defense against Sircam wasn't working, and began to work on a second anti-Sircam patch that was finally made available at the Symantec Web site on July 24.
The episode was a source of chagrin for Symantec and anger for customers that said Symantec didn't do enough to publicize the failings of its first Sircam software update.
Michael Segal, assistant professor of surgery at Harvard Medical School in Boston, uses the consumer edition of Norton Anti-Virus in his home office. Though he wasn't hit directly by Sircam because he generally doesn't open e-mail attachments, especially when he hears a new e-mail-borne virus is on the loose, he did become aware of the failure of the first Sircam patch through others' experiences. Symantec customers this week began questioning the company about it in online technical discussion groups.
Segal says he is "disappointed" that Symantec didn't specific the weakness in the first Sircam virus patch by more clearly publicizing the problem on its Web site.
"Even if Symantec's assertion about the integrity of the 'Auto-protect' safety net is true, the issue could still represent a security problem since a user could have a false sense of security," Segal says. He pointed out that a user who had turned off Auto-protect to do a software installation and had not yet turned it back on might falsely think the computer was guarded against Sircam.
Symantec was acknowledging the problem in its online technical discussion with customers who asked about it. Symantec also sent out an e-mail message to its corporate customers about the Sircam problem, says Chris Miller, senior product manager of Norton Anti-Virus Corporate Edition.
"The Norton Anti-Virus gateway was affected," Miller acknowledged, noting that Sircam was slipping through the gateway, which typically runs at the boundary of a corporate intranet and the Internet.
Sircam slipped through Norton Anti-Virus Corporate Edition on the desktop, too, though it was stopped by Auto-protect before the attachment was opened, Miller said. He urged corporate customers to install the new anti-Sircam update made available on July 24.
Miller said the reason Sircam slipped through was because the virus has the ability to run its own Simple Mail Transfer Protocol (SMTP) server.
"The uniqueness of Sircam is something we haven't seen before--it supplies its own SMTP server." said Miller. "It doesn't use the existing SMTP infrastructure, so it eluded some of our detections."
Miller said about once every nine months a new computer virus comes along that presents particular problems. Symantec's main competitor, Network Associates' McAfee division, claimed it didn't have similar problems in detecting and eradicating Sircam.