lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cd36bbe80602052312x4a069447q@mail.gmail.com>
Date: Mon, 6 Feb 2006 09:12:26 +0200
From: Mert SARICA <mert.sarica@...il.com>
To: bugtraq@...urityfocus.com
Subject: Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.

---------- Forwarded message ----------
From: Mert SARICA <mert.sarica@...il.com>
Date: 05.Şub.2006 13:59
Subject: Re: Trend Micro ServerProtect version 5.58 can be easily
circumvented via the mechanism that limits how many files to scan.
To: prashant.meswani@...nline.co.uk


Of course it is a real threat.

ZIP(500 empty text files + 1 KB VIRUS) = not detectable

Does not it make any sense? What if somebody uses a portal server and
secure that portal with secure protect and let users upload and
download files?

If it is a server protect it has to secure server.

And the logical way for detecting must be checking both size and file
count then skip instead of just counting files and skip.



05.02.2006 tarihinde Prashant Meswani <prashant.meswani@...nline.co.uk> yazmış:
> You need to weigh up the pros and cons of using the maximum number of files
> to scan in a compressed files option in any product. You have to ask
> yourself, if I extract all these files, what are the chances the infected
> file will be picked up by the real-time scanner against the option of
> scanning every single file in a compressed file and overutilising the CPU
> and memory  resources on the server. Serverprotect is one of TrendMicro's
> first AV to corporate market and did not get much major development since
> release. Serverprotect has now been superceded by Officescan 7.x (which is
> supported on servers). Maybe it's worth looking at whether Officescan has
> the same issues and weigh up the risks of that issue in relation to the
> security of the server. Is 500+ files in a zip file that has not been
> scanned a real threat / security breach?
>
>
> Regards,
>
>
>
> Prashant Meswani.
>
>
>
> The opinions outlined in this email is that of my own and does not represent
> the Residents Association or any other organisation I am related to.
>
>
> -----Original Message-----
> From: Mert Sarıca [mailto:mert.sarica@...il.com]
> Sent: Friday, February 03, 2006 8:46 AM
> To: bugtraq@...urityfocus.com
> Subject: Trend Micro ServerProtect version 5.58 can be easily circumvented
> via the mechanism that limits how many files to scan.
>
> http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html
>
> Some people say this method works also on Trend Micro InterScan Messaging
> Security Suite and InterScan Web Security Suite. I really appreciate if you
> use one of these and can able to test.
>
>
>


--
Saygılarımla,
Mert Sarıca


--
Saygılarımla,
Mert Sarıca

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ