[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail
- From: "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>
- Date: Wed, 03 Sep 2003 12:56:31 +0200
Hi,
seen on Interscan Viruswall for Linux 3.8 Build 1080, one email containing
a Sobig.f passed the scanner without any detection.
A Trend Micro "vscan" run on the received plain mail will detect the virus.
Response from support: add in section "[smtp]" option "whole_file_scan=yes"
Interesting, looks like the default is "no" (very dangerous imho), also it
looks like this option is neither documented nor changeable via web
interface.
Probably not only Linux versions are involved and perhaps lower version,
too.
Google reports only 3 hits about this option, all in Japaneese.
Looks like this issue rised up already earlier, but don't find a way into
docs or web interface.
(Perhaps they had scan speed problems some time ago and decided to
implement such dangerous option...as told, default is: not scanning the
whole file = message).
BTW: If someone would test this kind of Sobig.f mail, send a note and I
will send it in an email to you, if the requests are low in number...
Hope this helps,
Peter
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@xxxxxxxxxx
Germany Internet: http://www.aerasec.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html