bugs_activity.MDB was deleted by Symantec AntiVirus




11 years ago
11 years ago


(Reporter: Bob Dunn, Unassigned)





11 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Build Identifier: Bugzilla 2.22

Marking bug as a security issue because it can cause MySQL table deletion.

One of my users submitted a Feature Request for a Product and pasted a slew of javascript, form code, and an iframe, as their description.

During a standard antivirus scan, Symantec AntiVirus identified some of that code as being _J_S_._W_i_n_d_o_w_B_o_m_b_ (I added underscores just in case YOU are running similar antivirus).

What you see below is the results... bugs_activity.MYD was deleted by Symantec AntiVirus.

We were able to restore the deleted table from our nightly backups, although some data was lost. 

----- Symantec log info -----
Description: Threat Found!
Threat: _J_S_._W_i_n_d_o_w_B_o_m_b_ in 
(note: underscores added by me so I don't kill YOUR database)
File: [path removed for security reasons]\bugs_activity.MYD 
by: Auto-Protect scan.  
Action: Clean failed : 
Quarantine failed : 
Delete succeeded : 
Access denied.  
Action Description: The file was deleted successfully.
----- end Symantec Log info -----

Reproducible: Didn't try

Steps to Reproduce:
Unknown: see details for full description of situation.  I haev no idea what keywords or code snippets were identified as being .js virus code.

We're running Bugzilla on a Windows IIS server.  I am not the server admin, so I cannot provide more detail.
Hate to say it, but this is a stupid way to configure a virus scanner on a webserver.

Tell it to exclude your mysql data directory.  And in a production environment like this, it should probably be mailing someone a report rather than directly taking action on it.

You're lucky it only got your bugs_activity table, seems the attachments table would be much more prone to this kind of thing.
After consulting with a few folks, we've decided there's not really anything we can do from Bugzilla to deal with this.  There's a bug somewhere with an enhancement request to do virus scanning on uploads, but it would only deal with attachments, not comments.

This is really a configuration issue with your virus scanner.
Group: webtools-security
Last Resolved: 11 years ago
Resolution: --- → INVALID


11 years ago

Comment 3

11 years ago
I agree completely.  I had already decided that this was a "DDT bug" (don't do that!) but figured it was well worth the waste of some ones-and-zeroes to pass this along.

Thanks for the advice. I'm already going to speak with our server admin about preventing this situation in the future.

Is there anywhere for this in future documentation though?  Perhaps as a warning-block under configuration for either server or database?

Thanks Dave!
You need to log in before you can comment on or make changes to this bug.