Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Sat, 8 May 1999 14:58:08 +1000  
From: Glenn Corbett <>  
Subject: Insecure Bahaviour in Inoculan Client  
A problem has been discovered with the InocuLAN client on Windows NT  
workstations. If an account lockout policy is present on a Windows NT  
domain, large numbers of repeating account lockouts can occur.  
Description: Incorrect password events (event id 529) are being logged from  
workstations when running applications from UNC paths. The username that  
has logged the incorrect password is different to that of the logged on  
Configuration: Windows NT workstation SP3 or SP4, with InocuLAN V4.0(373) or  
InocuLAN V4.0(375)  
To reproduce the problem:  
1. Install InocuLAN V4.0(373) or V4.0(375) onto an NT workstation with  
SP3 or SP4 (SP5 not tested yet)  
2. Configure InocuLAN as described below:  
Direction - Incoming and Outgoing files  
Action upon Virus detection - Cure File  
Cure Action for Macro Viruses - Remove Infected Macros  
Copy File before Cure  
Rename File when Cure Fails  
Rename Extension - AVB  
Move Directory - C:\Inoculan\VIRUS  
Protected Areas:  
Protect Floppy Drives  
Protect Network Drives  
Protect CD-ROM Drives  
Scan Type - Secure Scan  
3. Reboot the workstation  
4. Log into WorkstationA as Domain UserA, Logout Domain UserA  
5. From another workstation change the password of Domain UserA  
6. Log into WorkstationA as Domain UserB.  
7. From WorkstationA run an application from a remote share on WorkstationX  
where Logon and Logoff, Success/Failure, are being audited. Run an  
application from the cmd window using a UNC path with no other connections  
to the WorkstationX. Eg \\WorkstationX\shareX\notepad  
8. The application will take several seconds to run and there will be a  
failure security event (529) for UserA from Workstation A. From server  
manager remotely stop the Cheyenne InocuLAN Anti-Virus Server on Workstation  
A and repeat step 7. You will see that the application will start  
immediately and no errors will be recorded in the security event log.  
The above problem also causes problems when running logon scripts. If an  
application is called from the logon script and that application does not  
exit on the local workstation, the version in the logon share will be run.  
As soon as the application in the logon script is called there is an event  
529 error recorded on the logon server security event log.  
Even if subsequent different users log into Workstation A, these problem  
will continue until the workstation is rebooted.  
This behaviour can also been seen if in Step 4, a local userA logs on. The  
subsequent error 529's have the local userA account in the security event.  
It appears as though InocuLAN is storing the user credentials for the first  
logged on user and using them to scan network drives for virus' even when a  
different user subsequently logs on until workstation reboot. It is not yet  
apparent if this username / password is being stored in the registry /  
temporary file or memory, and therefore open to exploit.  
We do not see this problem with InocuLAN V4.0 (4.0 Service Pack 1).  
CA Have been notified earlier this week, no respose as yet.  
Glenn Corbett  
CRISP Project Server / Workstation Team Leader  
Compaq Computer Corp, Australia. (Work) (Private)  
Date: Fri, 14 May 1999 14:49:17 -0400  
Subject: FW: NTBUGTRAQ response - URGENT  
The issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375  
implies that username/password information is stored "somewhere" on the  
client side and as such could potentially be exploited.  
That assertion is inaccurate, the username/password credential combination  
is NOT stored on the client side by Inoculan, (which is why the efforts to locate  
these credentials in shared memory, in a file or in the registry have been   
Clearly, in order for the InocuLAN real-time scanner to access files on a remote server,  
the software must have valid security contexts in place to permit the requisite access  
to the file systems and files.  
The techniques utilized by Inoculan (using low level, but fully documented and  
supported standard vendor API's) do NOT require that traditional user  
credentials (user account/ password) be presented in order to gain the necessary  
Rather, Inoculan is able to gain the required access in a completely  
secure manner without prompting for username and password information.  
In addition, it is important to point out that NO attempt to retrieve  
credential data is done without the user's explicit advance knowledge and consent.  
Computation/generation of the requisite credential information is done at Inoculan driver  
initialization time, and can be easily refreshed by simply rebooting the machine (which of  
course will in turn result in Inoculan initialization routines being invoked as part of  
system restart).  
The particular behaviour observed and reported can be attributed to the fact that AFTER  
Inoculan initialization was completed, the user access credentials for the user in question  
were modified, rendering the originally computed credential that Inoculan would otherwise  
utilize, invalid.  
An enhancement is being developed presently to provide a configuration setting that  
will instruct the Inoculan real-time scanner to recompute credentials automatically thus  
eliminating the need to reboot the client machine.  
This enhancement will be available by 17:00 Eastern US time, May 21, 1999, and can be  
downloaded from the standard Computer Associates support web sites, (  
We appreciate the efforts involved in bringing this issue to our attention and look forward  
to being able to provide you continued responsive service in the future !  
InocuLAN Technical Support  
Date: Fri, 21 May 1999 11:36:43 -0400  
Subject: NTBUGTRAQ response - URGENT  
An enhancement for the issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375  
in reference to locally computed credential information, has been made available. This enhancement  
is for the Inoculan real-time scanner and will obviate the need to reinitialize the machine (reboot), that  
was previously required to affect an update of locally computed credential information. The enhancement  
can be downloaded from our Computer Associates support web sites at, and the file is called LO49393.CAZ.  
Again, we appreciate the efforts involved in bringing this issue to our attention and look forward  
to being able to provide you continued responsive service in the future !  
Thank you.  
InocuLAN Technical Support