COMMAND

    Network Associates' VirusScan NT

SYSTEMS AFFECTED

    WinNT 4.0

PROBLEM

    Following is based on Simple Nomad's Advisory.  Network Associates
    VirusScan NT (formerly McAfee VirusScan NT) version 4.0.2 does not
    properly  update  virus  signature  definition files under certain
    conditions, and will falsely report it is up to date during manual
    updates.  This impacts both  NT Server and Workstation.   This was
    tested under  Microsoft NT  Server 4.0  w/SP3, Network  Associates
    VirusScan NT version 4.0.2 and Microsoft NT Workstation 4.0  w/SP3
    and SP4, Network Associates VirusScan NT version 4.0.2.  Pre-4.0.2
    versions of VirusScan  NT were not  tested, nor were  versions for
    other platforms, such as Windows 95 or 98.

    Network Associates VirusScan  NT has a  feature that allows  for a
    user to update the virus definitions file via ftp.  This task  can
    also be  automated via  the VirusScan  NT AntiVirus  Console.   In
    version 4.0.2, the scan engine holds open the main definition file
    scan.dat (located in  the VirusScan NT  directory) during the  ftp
    process, preventing the file  from being overwritten with  the new
    version.  The engine itself apparently does not check return codes
    and  will  not  notify  the  user  that  the file was not updated.
    Worse, the Application Log is updated as if the install  completed
    properly, therefore subsequent  downloads of new  definition files
    will  not  update  the   scan.dat  properly.   Subsequent   manual
    downloads will in fact tell  you that you already have  the latest
    definition file when  in fact you  do not.   NMRC was not  able to
    make this error occur consistently, and they strongly suspect that
    a race condition exists where the updates will occasionally  work,
    but they were  able to duplicate  the error condition  most of the
    time.

    To verify the  proper definitions file,  check the About  box from
    the AntiVirus Console program for the latest date next to the text
    "Created On".   If after  a manual  or automatic  update this date
    does not change, your definitions have not been properly  updated.
    The  implication  here  is  that  the  administrator  or  end user
    believes their system is protected when it in fact is not.


SOLUTION

    Upgrade to Network Associates  VirusScan NT version 4.0.3a,  which
    resolves the problem.  Alternately, disable the VirusScan  engine,
    wait several seconds for the  operating system to close the  file,
    and  manually  copy  the  definition  files  into the VirusScan NT
    directory.  This  second method will  place your log  files out of
    sync with the definition files until the next manual or  automatic
    download,  but  this  should  not  impact  functionality.   It  is
    recommended  that  you  disable  4.0.2  (or even uninstall) before
    performing  an  upgrade  to  4.0.3a  due  to  other  problems NMRC
    encountered  during  the  testing  of  this product, such as being
    unable to properly stop  the VirusScan services before  upgrading.
    Once again, these problems were inconsistent but happened  several
    times on several systems.

    One further note, in  a restricted NT workstation  environment, it
    is  next  to  impossible  to  have  the  user  upgrade the product
    themselves.  Local admin rights are required to make this  happen,
    and this  will require  a visit  from an  individual with adequate
    rights to the workstation to complete the upgrade:

        ftp://ftp.nai.com/pub/antivirus/datfiles/4.x