In the past several months multiple difficulties have arisen with Symantec AMS (Alert Management System).  The situation may sound familiar.  One minute the settings are configured correctly and alerting properly, the next thing you know, days have gone by without any detection.  This is great, right?  No viruses in our network!  Wrong… A careful inspection of the SAV console showed numerous detections without any alerts.  AMS doesn’t show alerting is configured.

Symantec informed the network technician that the AMS server needed to be reloaded.  This method was tried a few times each time services stopped again within days.  Finally a Symantec tech said that this was a “known issue”.  The workaround was to continue to reload the AMS services every time they stop working and take a chance we wouldn’t receive alerts or to use the alternative, the Reporting Server for alerting.

Days later on April 28, 2009, Symantec released four security vulnerabilities in SYM-09-007 involving some of the same Intel services that were involved in the issues experienced above.   At this point, it is unclear as to whether the vulnerabilities are related to the malfunctioning alerts, but it wouldn’t hurt to check your configurations.  The mitigations sound familiar.

The related services and vulnerabilities are described here and include the following:

1) Intel Common Base Agent Remote Command Execution Vulnerability

2) Intel Alert Originator Service Stack Overflow Vulnerability

3) Intel Alert Originator Service Buffer Overflow Vulnerabilities

4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability

Please take a few minutes to verify your version of SAV with this vulnerability announcement.  Then double check your alerting configurations. If anyone has any experience with the same issues, please let us know here.

Mari Nichols

PS:  Happy Mother's Day!  Don't forget to call your Mom.... :-)