Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   InoculateIT Vendors:   CA
Computer Associates InoculateIT Incremental Scan Weakness May Fail to Detect Viruses in Certain Cases
SecurityTracker Alert ID:  1005740
SecurityTracker URL:
CVE Reference:   CVE-2002-2285   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Dec 3 2002
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in CA's InoculateIT virus scanner. The scanner may fail to detect viruses on the system in certain specific cases.

It is reported that if the Incremental Scan option for NTFS file systems is enabled and the Realtime Scanner is configured to monitor 'Incoming and Outgoing Files', the software may write an alternate datastream, marking the file as having passed a successful antivirus-scan before the complete file has been written to the system.

A user could download and save a virus-infected file to the local system drive and then copy the file to other similarly configured systems (that also use Incremental Scan) without the virus being detected during the file copy.

As an example, the report indicates that Microsoft Internet Explorer (IE) uses FASTIO_WRITE calls when downloading a file. The scanner may scan the file and certify the file as being virus-free before the file has been fully downloaded. Then, IE may complete the download and apparently rewrite InoculateIT's alternate datastream.

According to the report, this Incremental Scan feature is not enabled by default. Also, the software will reportedly detect the virus when a new anti-virus definition is applied.

Impact:   The software may fail to detect viruses in some specific cases.
Solution:   The vendor has reportedly released a patch that disables the incremental scan option. Contact the vendor for information.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  CA InoculateIT 6.0 Realtime Scanner may fail to detect vira.

Executive overview:

We have recently closed a case with Computer Associates regarding a weakness
in their realtime scanner when configured with incremental scan. This
weakness would, in some cases, allow virus or trojan code to be saved to
disk, and signed as clean.

What is incremental scan:

The Incremental Scan option is for scanning volumes that are formatted with
the NTFS file system, to enhance scan performance. With this option in
effect, a file is scanned once, and a cached record is kept. The file is not
scanned again if it has not been modified since the last scan or if the
scanning options have not changed. This eliminates the unneeded repetitive
scanning of files that were already checked.


If the Realtime Scanner has been set up to monitor 'Incoming and Outgoing
Files' in Realtime Monitor Options, and 'Incremental Scan' has been
activated under 'Advanced...' in the 'Selection' tab, it might be possible
for the realtime scanner to write an alternate datastream, where the file is
marked as having passed a successful antivirus-scan, before the file is
fully written to the system.

The problem has been reproduced on a newly installed windows 2000, where it
has been possible to download and save the Klez.H virus to the local
harddrive. Once the file has been downloaded and branded, it will not be
detected as a virus when copied to other systems over the network, when
these have a similar setup with incremental scan.

Tech talk:

When Internet Explorer downloads a file, the disk operations are done as a
bunch of FASTIO_WRITEs. During this process the incremental scanner might
scan the file and, if incremental scan is enabled, write an alternate data
stream certifying the file as being clean before it's done. Internet
Explorer will then download the rest of the file and the system then appears
to rewrite InoculateIT's alternate datastream.

Mitigating factors:

* Incremental scan is not enabled by default, but might be enabled for
performance reasons.
* Incremental scan can only be used on NTFS-volumes (the windows NT-series
of operating systems)
* The file will be detected when a new antivirus definition is applied, and
these are released daily.
* Generally, the circumstances where this will happen are rare.


CA has released a patch for their realtime scanner that disables the
incremental scan option.
Their later versions (6.1 is right around the corner) will include improved
caching that makes incremental scanning less appealing, while their move to
daily signature updates also removes quite a lot of the benefit from this

An alternative, until you can apply the patch or a newer version of
InoculateIT to your systems, is to disable incremental scan on the
enterprise management server's policy for the realtime scanner, and disallow
your users from changing their local settings from the policy's default. If
this is the case, you'll want to modify the policy for all machines
servicing interactive logons, such as workstations and terminal servers, and

Thanks to:
Russ for assisting in bringing this issue to closure.
Knud for valuable advice in past and present.
The guys at CA that reacted promptly to the issue.

Karsten H.
system engineer

Delivery co-sponsored by TruSecure Corporation
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.

Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;

for more information.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC