CA eTrust Denial of Service Fault
Cadzow has discovered a fault in Computer Associates' (CA) eTrust 7.0. The problem arises as follows:
- By default, Microsoft Exchange Server 2000/2003 is installed to run under the SYSTEM context (the highest level privileged state).
- CA eTrust has a Quarantine feature which disables an account that writes an infected file to a server. The Administrator account is hard-coded to never be disabled.
- CA eTrust interacts with Exchange's virus scanning API (VSAPI) to scan for viruses in emails. When Exchange receives an email with an attachment, it writes the attachment to the file system and submits it to the VSAPI.
- However, the eTrust Realtime Scanner (which monitors file system activity) detects the virus and quarantines the user, in this case, SYSTEM.
- Thus the SYSTEM account is disabled and any process which relies on it (including all the authentication subsystems) fail, until the Quarantine ends. Therefore an entire server running Exchange can be rendered unusable simply by receiving a virus in email.
- Do not use eTrust's Quarantine feature;
- Exclude %PROGRAMFILES%\Exchsrvr\Mailroot from Realtime scanning; and/or
- Install the patch (QO41975) or the post-Service Pack 1 cumulative patch (build 402), which ensures SYSTEM is never disabled.