lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0602032108290.23347@gandalf.hugo.vanderkooij.org>
Date: Fri, 3 Feb 2006 21:21:26 +0100 (CET)
From: Hugo van der Kooij <hvdkooij@...derkooij.org>
To: Mert Sarıca <mert.sarica@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Trend Micro ServerProtect version 5.58 can be easily circumvented
 via the mechanism that limits how many files to scan.


On Fri, 3 Feb 2006, [ISO-8859-9] Mert Sar?ca wrote:

> http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html
>
> Some people say this method works also on Trend Micro InterScan
> Messaging Security Suite and InterScan Web Security Suite. I really
> appreciate if you use one of these and can able to test.

All gateway products like IMSS and IWSS can be defined to drop any archive
file that exceeds any of the given limits.

In fact in my installation today I verified this to be the default setting
for IMSS v5.7 and IWSS v2.5 and that these settings may in fact be
relative low for practical application. (In fact resulting in archive
files being dropped just because the archive contained to many files.)

ServerProtect is different as it works on files allready present. It
however reports an problem to which one should attend. So any file which
could not be scanned completely should be considered as suspect by the
operator.

Considering that on-access scanning can make a server crawling slow if you
choose to increase the limits in the article shown it may result in a
trade-off that may not catch all of the infections in real-time.

Settings for a batch scan should be more handled differently and here the
default values are too low in my (not so humble) opinion.

Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij@...derkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ