Re: [Full-Disclosure] Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail

["Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>]

Hi again,

--On Mittwoch, 3. September 2003 13:22 +0200 "Dr. Peter Bieringer" 
<pbieringer@xxxxxxxxxx> wrote:

> --On Mittwoch, 3. September 2003 12:56 +0200 "Dr. Peter Bieringer"
> <pbieringer@xxxxxxxxxx> wrote:
>
> > seen on Interscan Viruswall for Linux 3.8 Build 1080, one email
> > containing a Sobig.f passed the scanner without any detection.
> >
> > A Trend Micro "vscan" run on the received plain mail will detect the
> > virus.
> >
> > Response from support: add in section "[smtp]" option
> > "whole_file_scan=yes"
> >
> > Interesting, looks like the default is "no" (very dangerous imho), also
> > it looks like this option is neither documented nor changeable via web
> > interface.

I would only note that we also found at least one Bugbear (PE_BUGBEAR.DAM) 
passing if "whole_file_scan=yes" is not enabled.

In addition a short note about the scan version engines:

VSAPI v5.600-1011 (contained in Linux 3.8/build 1080)
didn't found this Bugbear in any case
found Sobig.f with whole_file_scan

VSAPI v6.510-1002 (latest found on de.trendmicro-europe.com)
found this Bugbear only with whole_file_scan


-> Check version of scan engine and update, if not current:
# /opt/trend/ISBASE/IScan.BASE/vscan -v


Hope this helps,
        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@xxxxxxxxxx
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html