Is your Symantec Antivirus Alerting working correctly?

Published: 2009-05-10
Last Updated: 2009-05-10 16:11:01 UTC
by Mari Nichols (Version: 1)
2 comment(s)

 In the past several months multiple difficulties have arisen with Symantec AMS (Alert Management System).  The situation may sound familiar.  One minute the settings are configured correctly and alerting properly, the next thing you know, days have gone by without any detection.  This is great, right?  No viruses in our network!  Wrong… A careful inspection of the SAV console showed numerous detections without any alerts.  AMS doesn’t show alerting is configured.

Symantec informed the network technician that the AMS server needed to be reloaded.  This method was tried a few times each time services stopped again within days.  Finally a Symantec tech said that this was a “known issue”.  The workaround was to continue to reload the AMS services every time they stop working and take a chance we wouldn’t receive alerts or to use the alternative, the Reporting Server for alerting.

Days later on April 28, 2009, Symantec released four security vulnerabilities in SYM-09-007 involving some of the same Intel services that were involved in the issues experienced above.   At this point, it is unclear as to whether the vulnerabilities are related to the malfunctioning alerts, but it wouldn’t hurt to check your configurations.  The mitigations sound familiar.

The related services and vulnerabilities are described here and include the following:

1) Intel Common Base Agent Remote Command Execution Vulnerability

2) Intel Alert Originator Service Stack Overflow Vulnerability

3) Intel Alert Originator Service Buffer Overflow Vulnerabilities

4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability

Please take a few minutes to verify your version of SAV with this vulnerability announcement.  Then double check your alerting configurations. If anyone has any experience with the same issues, please let us know here.

Mari Nichols

PS:  Happy Mother's Day!  Don't forget to call your Mom.... :-)
 

 

Keywords: AMS SAV vulnerability
2 comment(s)

Comments

I don't know if the three solutions that they offered (before the security vulnerability release) would've been enough for where I work. The last solution (where he said to use the alt solution of using the Reporting Server for alerts) didn't sound all that bad, but the "restart the service when it is down or take the chance you'd not be receiving alerts" is an answer that I suspect most corporate managers wouldn't like. That is NOT a good support answer, especially if you're paying a good bit for that support.
THE REACTIVE SOLUTION!!!

Diary Archives