lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2784153.1062593791@[10.3.62.6]>
Date: Wed, 03 Sep 2003 12:56:31 +0200
From: "Dr. Peter Bieringer" <pbieringer@...asec.de>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
   "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>
Subject: Trend Micro Interscan Viruswall: missing whole_file_scan=yes let
 pass at least one Sobig.f eMail


Hi,

seen on Interscan Viruswall for Linux 3.8 Build 1080, one email containing 
a Sobig.f passed the scanner without any detection.

A Trend Micro "vscan" run on the received plain mail will detect the virus.

Response from support: add in section "[smtp]" option "whole_file_scan=yes"

Interesting, looks like the default is "no" (very dangerous imho), also it 
looks like this option is neither documented nor changeable via web 
interface.

Probably not only Linux versions are involved and perhaps lower version, 
too.

Google reports only 3 hits about this option, all in Japaneese.
Looks like this issue rised up already earlier, but don't find a way into 
docs or web interface.

(Perhaps they had scan speed problems some time ago and decided to 
implement such dangerous option...as told, default is: not scanning the 
whole file = message).

BTW: If someone would test this kind of Sobig.f mail, send a note and I 
will send it in an email to you, if the requests are low in number...

Hope this helps,
	Peter
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ