Multiple Vulnerabilities in iAntiVirus

Title

Multiple Vulnerabilities in iAntiVirus

Program

PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/

Tested version

1.35, Engine Version 1.0.0.10

tested on german Mac OS X 10.5 with following preferences:

Description

  1. No scan in .sit- and .dmg-archives
    The scan-function and the online-scanner OnGuard doesn't scan .sit- and .dmg-archives.
    Impact:
    It's possible to download malware from the internet or to copy it from an usb-stick without interruption from iAntiVirus.
    Malware in .sit-archives is recognized by OnGuard during manuel decompression, but malware in .dmg-diskimages is only recognized during a manual scan of the mounted image.
    It's possible to run malware from the mounted diskimage (tested with MacSmurf, which iAntiVirus recognizes as 'Hacktool.OSX.MacSmurf')
  2. Problems with special chars in filenames
    The scanner, OnGuard and the quarantine-management are unable to work with files with several special chars in it, for example ƒ, which is transformed to Æ.
    Impact:
    False-positives are lost, since it's impossible to restore them. Perhaps it's possible to evade the virus-protection. special chars are unknown
  3. No user-restrictions in the quarantine-management
    All quarantined files are managed in the same area. Every user can restore the files of every other user, included the admin
    Impact:
    A normal user can restore quarantined malware in other accounts, tested with the iWorks-Trojan, which was installed by the admin and restored by a normal user.
    Additional, the history-function contains no information about the user which performs an action and can erased by every user.
  4. OnGuard does only protect one user (or perhaps a few more)
    If OnGuard is on and another user logs in, it seems as if OnGuard is off. If he copies some malware on the system, this disappears without any warning: OnGuard is active and moves the files in the quarantine, but doesn't inform the user about this. If the first user is an admin, this seems to work for every normal user. If the first user is a normal user, it sometimes works for the admin as second user, but not every time.
  5. Ignorance of file-permissions
    Every normal user can start a "normal scan", which includes the system-, library- an program-folders and the folders of every user. No file-permission

Solution

None

Update 12.03.2009:
The vendor checks the vulnerabilites again.

Credits

Carsten Eilers

Original advisory

http://www.ceilers-it.de/advisories/iantivirus.html
(also as german version)

Version

1 - 10.03.2009 - initial advisory
2 - 12.03.2009 - vendor checks the reported vulnerabilites again