Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.
---------- Forwarded message ----------
From: Mert SARICA <mert.sarica@xxxxxxxxx>
Date: 05.Şub.2006 13:59
Subject: Re: Trend Micro ServerProtect version 5.58 can be easily
circumvented via the mechanism that limits how many files to scan.
To: prashant.meswani@xxxxxxxxxxxxxx
Of course it is a real threat.
ZIP(500 empty text files + 1 KB VIRUS) = not detectable
Does not it make any sense? What if somebody uses a portal server and
secure that portal with secure protect and let users upload and
download files?
If it is a server protect it has to secure server.
And the logical way for detecting must be checking both size and file
count then skip instead of just counting files and skip.
05.02.2006 tarihinde Prashant Meswani <prashant.meswani@xxxxxxxxxxxxxx> yazmış:
> You need to weigh up the pros and cons of using the maximum number of files
> to scan in a compressed files option in any product. You have to ask
> yourself, if I extract all these files, what are the chances the infected
> file will be picked up by the real-time scanner against the option of
> scanning every single file in a compressed file and overutilising the CPU
> and memory resources on the server. Serverprotect is one of TrendMicro's
> first AV to corporate market and did not get much major development since
> release. Serverprotect has now been superceded by Officescan 7.x (which is
> supported on servers). Maybe it's worth looking at whether Officescan has
> the same issues and weigh up the risks of that issue in relation to the
> security of the server. Is 500+ files in a zip file that has not been
> scanned a real threat / security breach?
>
>
> Regards,
>
>
>
> Prashant Meswani.
>
>
>
> The opinions outlined in this email is that of my own and does not represent
> the Residents Association or any other organisation I am related to.
>
>
> -----Original Message-----
> From: Mert Sarıca [mailto:mert.sarica@xxxxxxxxx]
> Sent: Friday, February 03, 2006 8:46 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Trend Micro ServerProtect version 5.58 can be easily circumvented
> via the mechanism that limits how many files to scan.
>
> http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html
>
> Some people say this method works also on Trend Micro InterScan Messaging
> Security Suite and InterScan Web Security Suite. I really appreciate if you
> use one of these and can able to test.
>
>
>
--
Saygılarımla,
Mert Sarıca
--
Saygılarımla,
Mert Sarıca