RE: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.
You need to weigh up the pros and cons of using the maximum number of files
to scan in a compressed files option in any product. You have to ask
yourself, if I extract all these files, what are the chances the infected
file will be picked up by the real-time scanner against the option of
scanning every single file in a compressed file and overutilising the CPU
and memory resources on the server. Serverprotect is one of TrendMicro's
first AV to corporate market and did not get much major development since
release. Serverprotect has now been superceded by Officescan 7.x (which is
supported on servers). Maybe it's worth looking at whether Officescan has
the same issues and weigh up the risks of that issue in relation to the
security of the server. Is 500+ files in a zip file that has not been
scanned a real threat / security breach?
Regards,
Prashant Meswani.
The opinions outlined in this email is that of my own and does not represent
the Residents Association or any other organisation I am related to.
-----Original Message-----
From: Mert Sarıca [mailto:mert.sarica@xxxxxxxxx]
Sent: Friday, February 03, 2006 8:46 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Trend Micro ServerProtect version 5.58 can be easily circumvented
via the mechanism that limits how many files to scan.
http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html
Some people say this method works also on Trend Micro InterScan Messaging
Security Suite and InterScan Web Security Suite. I really appreciate if you
use one of these and can able to test.