[Full-disclosure] Multiple Vulnerabilities in iAntiVirus
advisories at ceilers-it.de
Tue Mar 10 15:13:10 GMT 2009
Multiple Vulnerabilities in iAntiVirus
PC Tools iAntiVirus for Mac OS X
1.35, Engine Version 220.127.116.11
tested on german Mac OS X 10.5 with following preferences:
- Scan inside archives ON
- Scan mode NORMAL
- Heuristics NORMAL
1. No scan in .sit- and .dmg-archives
The scan-function and the online-scanner OnGuard doesn't
scan .sit- and .dmg-archives.
It's possible to download malware from the internet or
to copy it from an usb-stick without interruption from
Malware in .sit-archives is recognized by OnGuard during
manuel decompression, but malware in .dmg-diskimages is
only recognized during a manual scan of the mounted image.
It's possible to run malware from the mounted diskimage
(tested with MacSmurf, which iAntiVirus recognizes as
2. Problems with special chars in filenames
The scanner, OnGuard and the quarantine-management are
unable to work with files with several special chars in
it, for example ?, which is transformed to Æ.
False-positives are lost, since it's impossible to restore
them. Perhaps it's possible to evade the virus-protection.
3. No user-restrictions in the quarantine-management
All quarantined files are managed in the same area. Every
user can restore the files of every other user, included
A normal user can restore quarantined malware in other
accounts, tested with the iWorks-Trojan, which was
installed by the admin and restored by a normal user.
Additional, the history-function contains no information
about the user which performs an action and can erased by
4. OnGuard does only protect one user (or perhaps a few more)
If OnGuard is on and another user logs in, it seems as if
OnGuard is off. If he copies some malware on the system,
this disappears without any warning: OnGuard is active and
moves the files in the quarantine, but doesn't inform the
user about this. If the first user is an admin, this seems
to work for every normal user. If the first user is a normal
user, it sometimes works for the admin as second user, but
not every time.
5. Ignorance of file-permissions
Every normal user can start a "normal scan", which includes
the system-, library- an program-folders and the folders of
(also as german version)
Full-Disclosure is hosted and sponsored by Secunia.