Symantec NetDriver Monitor

LadyL · Lieutenant Joined: Oct 11, 2002 Posts: 152 Location: USA

I use the Intelligent Updater for the NAV defs...and once in awhile will use the LiveUpdate function to see if there are anyother updates (Redirector,etc).
This morning I decided to check via the LiveUpdate...and it listed an update for the Redirector and also for the NIS security updates.
Never had problems previously doing this...naturally, the popup states that it must reboot...ok...it did that.
Out of curiousity, I decided to check msconfig...startup tab...and I find listed the following:

Symantec NetDriver Monitor c:\progr~1\symantec\liveup~1\sndmon.exe

I have SW2002 & NPF2002...tried using their search - no luck on any of the words...Google also gave no hits.

Do I need this or what? I don't need extra stuff in my startup.
Really, really need expert advice on this.
TIA Very Happy

jvmorris · Posted: Thu May 13, 2004 8:13 am Post subject:

You might also want to monitor the thread beginning at http://www.dslreports.com/forum/remark,10228849~mode=flat at BBR/DSLR Security Forum.

Mowergun mentions the same kind of problem, but so far I don't see any solutions, explanations, or work-arounds mentioned there. (The thread itself is primarily about a different subject.)

LadyL · Lieutenant Joined: Oct 11, 2002 Posts: 152 Location: USA

Thanks for that link...it was exactly the same problem I was going through!
My solution - system restore in ME...which, naturally fubared my NAV defs, but I also unchecked sndmon.exe in msconfig, did a Find|Files for sndmon.exe...deleted it in the Symantec folder...checked my jv16 program for the listing of sndmon.exe - unchecked it wherever it was shown in jv16....THEN, I rebooted! Went to open my NAV program on desktop - it had error on the defs updates...went for Help at the Symantec KBase...used "System Restore" as search word...found the listing...it said to d/l the Symantec Hawking Tool...which makes the user go through the entire process of correcting the corrupt updates caused by the restore. I did have to use the LiveUpdate *shudders* to get the previous listed (05-11-04) Defs...the Redirector was listed, plus the NIS update...rebooted as prompted. Then I went to my Intelligent Updater section and got my 05-12-04 update and everything was ok! Naturally, I checked msconfig to see if that dreaded sndmon.exe had shown up again...but it wasn't there. Laughing

I then, *with fingers crossed*, went to LiveUpdate to check and make sure that everything was d/led as needed...nothing else was needed!!!
Haven't seen anything from Symantec about that mess...haven't received a reply to the email that I had sent to either.
I will now have to do basically the same stuff to daughter's pc at her house...her HP is slow enough as it is without having to contend with that sndmon.exe nonsense.
Sorry for this being so long-winded...but I just wanted to let others know how I dealt with this fiasco.
If anyone wishes to quote my workround to other Forums...please do so. Very Happy

phoenix22 · Posted: Thu May 13, 2004 5:38 pm Post subject:

Security Tracker

Norton AntiSpam SYMDNS.SYS Driver Lets Remote Users Execute Arbitrary Code to Take Full Control of the System

Several vulnerabilities were reported in Symantec's Norton AntiSpam in the 'SYMDNS.SYS' driver. A remote user can cause denial of service conditions or execute arbitrary code on the target system with kernel-level privileges.

Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network

Symantec Client Security SYMDNS.SYS Driver Lets Remote Users Execute Arbitrary Code to Take Full Control of the System

Several vulnerabilities were reported in Symantec's Client Security in the 'SYMDNS.SYS' driver. A remote user can cause denial of service conditions or execute arbitrary code on the target system with kernel-level privileges.

Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network

Symantec Client Firewall SYMDNS.SYS Driver Lets Remote Users Execute Arbitrary Code to Take Full Control of the System

Several vulnerabilities were reported in Symantec's Client Firewall in the 'SYMDNS.SYS' driver. A remote user can cause denial of service conditions or execute arbitrary code on the target system with kernel-level privileges.

Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network

front page advisories
http://www.computercops.biz/article-5085-thread-1-0.html

LadyL · Lieutenant Joined: Oct 11, 2002 Posts: 152 Location: USA

Thanks...but it's still all 'Greek' to me. Rolling Eyes

phoenix22 · Posted: Fri May 14, 2004 1:39 am Post subject:

SYM04-008
May 12, 2004
Symantec Client Firewall Remote Access and Denial of Service Issues
Revision History
None

Risk Impact
High

Overview
eEye Digital Security notified Symantec Corporation of four vulnerability issues they discovered in the Symantec Client Firewall products for Windows. By properly exploiting these issues, an attacker could render the targeted system inoperable or execute remote code with kernel-level privileges on the targeted system.

Affected Components
Consumer:
Symantec Norton Internet Security and Professional 2002, 2003, 2004
Symantec Norton Personal Firewall 2002, 2003, 2004
Symantec Norton AntiSpam 2004
Corporate:
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

Details
eEye Digital Security notified Symantec of four vulnerabilities they discovered during product testing on versions of Symantec's client firewall application. eEye Digital Security found three instances where remote KERNEL-level access could potentially be gained. Additionally, they reported a denial of service (DoS) issue that requires a system reboot to regain system utilization.

All issues occur within routines in the SYMDNS.SYS component.

The first issue is a stack overflow in the processing of DNS responses caused by improper bounds checking of external input. Successful exploitation of this issue could result in remote code execution on the targeted system with kernel-level privileges.

The second issue is a stack overflow in the processing of NetBIOS Name Service responses that can result in a memory overwrite. If an attacker could successfully create the conditions required to manipulate this vulnerability they could potentially execute arbitrary code with kernel-level privileges.

The third remote execution issue is a potential heap corruption problem caused by improper bounds checking in the processing of NetBIOS Name Service responses. If an attacker were to successfully exploit this condition, they could possibly execute arbitrary code on the targeted system with kernel-level privileges.

The forth issue is a potential DoS condition caused by improper handling of DNS response packets. Maliciously configured DNS responses can cause the targeted system to halt requiring a system reboot to clear the condition and regain system access.

Symantec Response
Symantec confirmed the vulnerabilities exist in the consumer and corporate Symantec Client Firewall applications as well as in Symantec's Norton AntiSpam 2004 application. Symantec product engineers have developed fixes for the issues and released patches for all impacted products through Symantec LiveUpdate and technical support channels.

Clients running consumer versions of the affected products who regularly run a manual Symantec LiveUpdate should already be protected against this issue. However, to be sure they are fully protected, customers should manually run Symantec LiveUpdate to ensure all available updates are installed.

Open any installed Symantec product
Click on LiveUpdate in the toolbar
Run LiveUpdate until Symantec LiveUpdate indicated that all installed Symantec products are up-to-date
Depending on the application, system may require a reboot to effectively update available fixes.
Clients running the corporate versions of Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels.

Symantec is not aware of any active attempts against or customer impact from this issue.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned Candidate names to these issues.

Issues one, two and three are assigned under CVE Candidate Name, CAN-2004-0444.

The fourth issue, the Denial of Service in NetBIOS Name Service is assigned CVE Candidate Name, CAN 2004-0445.

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Credit
Symantec appreciates the cooperation of the eEye Digital Security research team in identifying this issue.

Symantec Product Security Contact Information
Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, Symantec follows the process of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact if you feel you have discovered a potential or actual security issue with a Symantec product.

Symantec strongly recommends using encrypted email for reporting vulnerability information to . The Symantec Product Security PGP key can be obtained here.

--------------------------------------------------------------------------------

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from .

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Wednesday, 12-May-04 12:25:09

http://securityresponse.symantec.com/av...05.12.html

LadyL · Lieutenant Joined: Oct 11, 2002 Posts: 152 Location: USA

Thanks. I did a Find|Files on my ME for SYMDNS.SYS ...guess what...nothing was found! I have NPFirewall2002 and have done the LiveUpdate tab to see if anything is needed...I'm uptodate on everything.
I'm not getting an errors or missing whatever from anything from Firewall2002 or from SW2002.
I would have thought something would have 'poppedup' after I had deleted the sndmon.exe...but nothing has.

MountainBoy · Cadet Joined: May 14, 2004 Posts: 1 Location: Canada

I have the same problem on 2 machines running NIS2002. D/led the latest Liveupdates yesterday May 13, upon reboot found that surfing was veeerrrry slow, problems connecting, and the Norton firewall's settings had been changed, disallowed netbios when it had been allowed before, disallowed http server access (running Apache on one of the machines). couldn't even connect to LocalHost on server machine, and when I tried it there was memory dump and spontaneous reboot of the box. Did the System Restore to date earlier this week prior to yesterdays' LiveUpdate.
Ran LiveUpdate again and NIS said everything was up to date??

Looked at symdns.sys in NIS "About" and V. # was 4.XXX. Did search on Symantec's site for symdns.sys and found article (35%) which pointed me towards a file download and info stating that the latest vulnerabilities necessitate having symdns.sys Version 5.xxx.

d/led file and installed, rebooted, checked symdns.sys V.#s and they're all 5.xxx now. Still concerned though because Symantec's resolution for problem is to run LiveUpdate and if it says everything is up to date, then your system is ok...

but my LiveUpdate didn't catch the fact that the symdns.sys Versions were out of date...

xyborx · Cadet Joined: May 18, 2004 Posts: 4 Location: Australia

[ABSTRACT]

You have noticed an available update to your Symantec software titled "Symantec Redirector" and you want to know what the "Symantec Redirector" is.

The Symantec Redirector (Symredir) is a set of shared network drivers that allow Norton AntiVirus, Norton Personal Firewall, and Norton Internet Security to filter incoming and outgoing data for malicious or undesired content.

The Redirector intercepts data coming into, or leaving your computer, and redirects it to a temporary location on your hard drive where it processes the data, and then sends the data to its intended destination. Without the Redirector, your email program sends your email messages directly to your email server. With the Redirector running, data that your browser sends to a Web server is diverted through the Norton Internet Security (NIS) or Norton Personal Firewall (NPF) filters to scan for and protect privacy or confidential data. Once filtered, that data is sent to the Web server. Data coming in from a Web server is diverted through the NIS/NPF filters, and undesired active content or unwanted advertising content is filtered out. The data is then passed to your Web browser for processing.

In all these situations, the Redirector is invisible to both the email programs and Web browsers you use.

The following files comprise the Symantec Redirector: Windows 95/98/Me:

Symredir.dll
Symdns.vxd
Symfw.vxd
Symndis.vxd
Symredrv.vxd
Symtdi.vxd

If you have the most recent version, you may also have these files:

Symids.vxd
Symidsco.vxd

Windows NT, 2000, XP:
Symredir.dll
Symdns.sys
Symfw.sys
Symndis.sys
Symredrv.sys
Symtdi.sys
SymRedir.cat
SymRedir.inf

If you have the most recent version, you may also have these files:

Symids.sys
Symidsco.sys

Ok, so obviously we have a problem, because the file "SNDMon.EXE" is not mentioned... however this information was from a Symantec site http://service1.symantec.com/SUPPORT/sh...=&osv_lvl=
Last Modified:06/05/2004 and this update occured on 17/05/04, in my humble opinion this module "SNDMon.EXE" is "Symantec Security Drivers Install Monitor" and needs to run at startup. Or maybe it is just a left over from the update... either way my Windows 98se OS is running very well indeed.

xyborx · Cadet Joined: May 18, 2004 Posts: 4 Location: Australia

I am using NAV 2002 on WIN98se, I have NPF but I have not installed it, due to the shear complexity of successfully configuring a firewall, I find them a real hassle to configure and I am a very advanced user. I too use the LiveUpdate method to obtain the most recent updates (virus sigs mostly) and I was presented with the extra shared component update after reboot on the 17/05/04, I installed it and too found the Startup item "C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE". I have not had any problems as a result of this update and will be leaving it in the [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMANTEC\\LIVEUP~1\\SNDMON.EXE"

As you can see, I like to keep this lean, however I cannot ascertain if loss of functionality will occur if I do remove it.

It seems at this point that the problem is specific to NPF.

xyborx · Cadet Joined: May 18, 2004 Posts: 4 Location: Australia

LadyL, I am looking at your first post and apparently you do not have a problem at this point in time, you seem to be asking if it is ok to delete SNDMon.EXE and remove its reference from the Run "Startup" section of the registry. I am thinking now maybe it can be done and Symantec should have put it in the RunServicesOnce Key and placed the file itself in the "Temp" folder... the fact they did not do this makes me think there is a reason for them doing this...

xyborx · Cadet Joined: May 18, 2004 Posts: 4 Location: Australia

In your second post you have now apparently developed a "problem" not mentioned in your first post, however this is only a link to some other forum and invalidates the logic of this thread. It is difficult to see how any of this relates to the "Update", other than that you may have removed the file "SNDMon.EXE" prior to rebooting as this file was necessary to receive and install correctly the second update. Apparently you at some point use a registry cleaner to diagnose the purported "problem", however can I mention this registry cleaner has been superceded by "RegSupreme" (the one I use) due to it being a little too thorough at "cleaning" on occasions.

The final result you now have achieved is basically a confusing situation, with each stage needlessly impacting reciprocately upon the prior.

jvmorris · Posted: Sun May 23, 2004 8:11 am Post subject: Symantec Patches Patches

It appears that Symantec may now have fixed this problem. See http://www.dslreports.com/forum/remark,10312609~mode=flat , which apparently came out late on Friday evening.

Have any of the NIS/NPF 2002 users that experienced the problem after the 12 May LiveUpdate applied this patch; does it solve the problem?

Next question: Does this fix, primarily for NIS/NPF 2002 users, still provide a solution to the eEYE vulnerabilities that started all this? (Anyone checked using eEYE's Retina scanner?)

And finally, by way of feedback, just what files are changed by this update?

LadyL · Lieutenant Joined: Oct 11, 2002 Posts: 152 Location: USA

Thanks for letting me know about the update via that linky...I seldom use LiveUpdate unless it is to check for Redirector, etc. updates.

I have just applied the update to Redirector, rebooted...and so far no problems...

I never even heard of eEye Retina scanner...what is it????

jvmorris · Posted: Sun May 23, 2004 1:59 pm Post subject:

Lonnie,

You can find the Retina scanner at eEYE. See http://www.eeye.com/html/Products/Retina/index.html . There is a 15 or 30-day trial version available.

Now, it only runs directly from a Win NT/2K/XP machine, but it can then be used to scan other machines remotely (which is how I scanned the Win 98 SE box here, behind my own router). However, it will not scan through a NAT router (inbound, that is).

One of its tests is for the eEYE vulnerabilities identified in the Symantec consumer-grade software firewalls. It does not check to see if the latest patch fixes the 12 May LU screw-up, just whether or not the previously identified eEYE vulnerability still exists.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 932 pages served in previous 5 minutes. Page Rendered: 0.654 seconds.