Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Avoid using customized Virex eUpdate settings Apps
As you probably know, Apple has dropped support for Virex in .Mac, but there are still some people using it. Both Virex 7.2 and 7.5 give you the option to customize you eUpdate settings -- the goal of this is to prevent you from having to type in your .Mac password all the time in certain cases. For example, if you are updating Virex but don't have your .Mac account configured. That basically means that the following does not affect all users -- just the users who have set their username and password in the custom eUpdate settings.

Should you choose to customize you eUpdate settings, Virex does something pretty insecure. Instead of storing your username and password in the Keychain (a task that takes less than 100 lines of code to accomplish for store, retrieve, and update), they store it in a file. In the case of Virex 7.2, the file is stored in your user's ~/Library -> Preferences folder, in a file named VirexPrefs.vprF ... with the password and username in plain text!

In the case of Virex 7.5.1, the file is stored in /Library --> Preferences -> com.nai.virex75.prefs.plist with the username as plain text while the password is hashed. Note, though, that all users have access to this file, and while I am not sure how good the hash is, I do know that by simply copying the file to a second machine, you can have access to Virex updates from that second machine -- something that all users can do because all users have read access to the file.

This kind of careless disregard for the protection of a .Mac user's credentials -- hashed or not -- is inexcusable.

If you're a Virex user, please check for the above-listed files and delete them if you find your .Mac info in them. And to prevent their creation in the future, don't customize your eUpdate settings!
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[7,335 views]  

Avoid using customized Virex eUpdate settings | 4 comments | Create New Account
Click here to return to the 'Avoid using customized Virex eUpdate settings' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Avoid using customized Virex eUpdate settings
Authored by: dkoller on Oct 19, '05 11:23:26AM

Can you suggest an alternative to Virex? (7.5 is incompatible with Tiger, so I'm using 7.2.)
Meanwhile, thanks for the eUpdate tip.

Don



[ Reply to This | # ]
Avoid using customized Virex eUpdate settings
Authored by: takeaway on Oct 19, '05 12:05:47PM

My main concern is with Virex 7.2 - the eUpdate stores the password as plain text which is just a bad idea, especially since the Keychain is so easy to use. If you don't use Virex with .MAC or if you use a newer version this isn't an issue.

I use Norton Antivirus - but it sure uses a lot of cpu time so I am not sure that I like it either. I use Norton because it will detect Windows Viruses which is mainly what I use it for. Generally speaking, I turn autodetect off.

The Apple Store seems to offer Noron AntiVirus and VirusBarrier X either of which seem to be good choices.



[ Reply to This | # ]
Avoid using customized Virex eUpdate settings
Authored by: jay1 on Oct 21, '05 05:14:11PM
Not sure if you know, but Virex 7.7 has been out for some time. This version does work with Tiger. I have been using this and so far it has been stable. Visit the McAffee website for further information. Please note that this product is not free and I have not seen it released via .Mac. Still, it's good to know that die-hard Virex users can continue, albeit via a purchasable upgrade.

---
-J-

[ Reply to This | # ]

Try Clam
Authored by: murali1080 on Oct 19, '05 03:45:42PM

http://www.markallan.co.uk/clamXav/



[ Reply to This | # ]