I got an email from someone a couple of weeks or so ago about the fact that he had downloaded Patrik Karlsson's excellent OAT (Oracle Auditing Tools) software and that it had been flagged as a virus by the security department. He is a DBA and wanted to use the tools to provide security auditing and protection; the main aim of the tools. He asked me to corroborate his assertions that these tools are actually safe and are not a virus.
I downloaded them again myself and Windows Defender baulked and said there was a severe danger as "it can capture passwords". I then ran Norton anti-virus scanner against the zip file and it reported three problems; 2 for PWDump and 1 for Netcat. Is the anti-virus software correct to mark OAT as a virus? - this is debatable. In their own right PWDUmp and Netcat could and should be marked as dangerous if they were downloaded to a users PC as part of an email or other surupticious way of getting them onto the PC. A user not expecting to get these tools on hos PC would want them marked. They are not however virus's or trojans in my opinion. In the context of OAT though they are not a virus either or dangerous as the context must be taken into account. OK, in this case a DBA had downloaded an Oracle security toolkit - no danger, what if OAT had been deployed as a payload to an unsuspecting persons PC would it then be classed as dangerous? - not sure, the targetting of a zip of an Oracle audit toolkit would need extra "features" to enable the attacker to do something with it and also the PC infected would need to be specifically targetted. So should anti-virus software and spam/spyware tools such as defender find OAT dangerous? - they should detect netcat and most likely PWDump but should then detect when part of a toolkit such as OAT? - probably? - does this mean the future for free security tools is changing, if they are being marked as dangerous - viri, trojans or spyware? - probably?
Are security tools a virus or a trojan or even a danger?
There has been 4 Comments posted on this article
August 7th, 2007 at 07:46 pm
Pete Finnigan says:
FWIW, Trend micro often classifies things like that as "greyware" - not as something that's harmful, but could be used for evil. Also, detecting things like netcat and pwdump could help alert to infections or intrusions that would otherwise go unnoticed.
Finally, if there is any question at all of the DBA can possess and use these tools, he should be authorized to do so, in writing and signed by senior management.
August 8th, 2007 at 01:30 pm
Pete Finnigan says:
Thanks for the comments guys. merkmerc; you have hit the spot, this is exactly what i was thinking, in some circumstances software is dangerous but in others not. Its better to mark as "grey" in these cases. Also i agree, the DBA should have permission to use these tools as they can be used to hack!
August 9th, 2007 at 03:24 pm
Pete Finnigan says:
Sophos classify this sort of thing as a "Potentially Unwanted Application", and you can then apply a policy either globally or on a group basis.
This works quite well after an initial fairly frantic training period!
August 7th, 2007 at 12:11 am
Pete Finnigan says:
Rootkit get detected as virii all the time because people take the rootkit and alter them for harmful uses. Its the same thing here.