Hacktool.netcat

Symantec has decided that netcat is a hack tool! What’s next? telnet? Netcat is in number 4 on insecure.org’s list of top security tools.
I’m trying to decide if this is worth spending time on. I’ve been able to get Ghost Mail by Robert Yale off of Symantec’s hit list in the past. But I think this might be a tougher argument. Its like the radmin detection. It’s a common enough tool, but if one person uses it for bad, oh no it must be designated for removal. I think Symantec is playing fast and loose with the “extended security threat” categories. Sooner or later everything will be listed there.
Its not as if Symantec makes this easy to ignore. First you add it to an ignore list for the realtime scan. Then for the scheduled scans. Then the real fun begins. You have to disable the startup quick scan (with 10.0.1.1000 and later this is an option in the SSC), and it looks like you may need to disable the defwatch scan according to this article http://tinyurl.com/cokvu Lastly, users may create their own scheduled scan. You can’t exclude netcat from that, all you can do is program it to leave it alone.

One Comment

  1. Don’t know if this is related and I note that your report is a long time ago but I found this when I logged into my PC today:
    “Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Threat: Hacktool
    File: C:\Temp\CISCOB~1.EXE
    Location: Unknown Storage
    Computer: Wxxxx
    User: Axxxx\SYSTEM
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Date found: Sunday, 4 February 2007 7:51:29 AM”
    Now I don’t know what the Cisco file was but in my network support role I centainly rountinely dowdload Cisco files – predominately from Cisco, and somehow I don’t believe that Cisco build hacktools into their exe files.
    Rgds
    Mal Ward

Comments are closed.