[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2784153.1062593791@[10.3.62.6]>
Date: Wed, 03 Sep 2003 12:56:31 +0200
From: "Dr. Peter Bieringer" <pbieringer@...asec.de>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>
Subject: Trend Micro Interscan Viruswall: missing whole_file_scan=yes let
pass at least one Sobig.f eMail
Hi,
seen on Interscan Viruswall for Linux 3.8 Build 1080, one email containing
a Sobig.f passed the scanner without any detection.
A Trend Micro "vscan" run on the received plain mail will detect the virus.
Response from support: add in section "[smtp]" option "whole_file_scan=yes"
Interesting, looks like the default is "no" (very dangerous imho), also it
looks like this option is neither documented nor changeable via web
interface.
Probably not only Linux versions are involved and perhaps lower version,
too.
Google reports only 3 hits about this option, all in Japaneese.
Looks like this issue rised up already earlier, but don't find a way into
docs or web interface.
(Perhaps they had scan speed problems some time ago and decided to
implement such dangerous option...as told, default is: not scanning the
whole file = message).
BTW: If someone would test this kind of Sobig.f mail, send a note and I
will send it in an email to you, if the requests are low in number...
Hope this helps,
Peter
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@...asec.de
Germany Internet: http://www.aerasec.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists