Guest

Preview Tool

Cisco Bug: CSCvu06648 - OPSWAT module can't read actual database release date KES 11.3

Last Modified

Jul 21, 2020

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases

4.8(3600)

Description (partial)

Symptom:
OPSWAT module can't read actual database release date  KES 11.3.

How OESIS reports the virus definition state info.

We first go to key "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\" + "AVP.*" or "KES.*" or "PURE.*" or "KSOS.*", then extract "LastSuccessfulUpdate" and "LastUpdate" field value from "Data" sub key
Then we extract "DataRoot","ProductRoot" and "UpdateRoot" field value from "environment" sub key
We extract "<Update.+?Date=.(.+?).[\r|\n]" from file path build from "DataRoot" & "UpdateRoot"
We extract file version information from path built from "ProductRoot" from these files: "kas_engine.dll", "klscav.dll", "kav.bav".
But it doesn’t work for our product.

Explanation from our testers below. If you need to get more information please let me know.

Firstly, this algorithm is simply not correct for us. The third step parses the updater index to take the date from it. But the date in the updater index is the date the index was signed, and it does not correlate with the date of the anti-virus databases. The listed modules in the last step are simply missing from us. Secondly, we cannot give opswat any guarantees regarding the use of these names, as these are internal names and they may change. Thirdly, according to procmon, it is clear that the real algorithm is different from the described one:

1. there is a complete enumeration of our registry branch
2. there is an analysis of the antimalware_provider.dll module
3. there is an analysis of the avp.exe module
4. there is an analysis of the avengine.dll module
5. read from the index of the updater u1313g.xml

 There is used u1313g.xml in Cisco and while it exists, Cisco doesn’t  read our UpdateRoot environment variable!

Conditions:
KES 11.3
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.