Bugtraq mailing list archives
TrendMicro Interscan VirusWall security problem
From: "Pedro Quintanilha" <PQuintanilha () abril com br>
Date: Fri, 24 May 2002 15:05:05 -0300
Hi there! I´ve noted that Trend´s Interscan Viruswall has a horrendous "feature" in it´s WinNT/2K implementation, that is not present in *UX implementations. In the most instalations Interscan listens on port 25 (SMTP), receives the message, scan it, and then re-send it to the "real" SMTP daemon (listening on another port), preserving the SMTP-header present in the message. But, since it doesn´t includes a new line on SMTP-header with the sender´s IP, and doesn´t write any extra log including it (it just logs virus occurrences), the final message header will not contain the real sender´s IP!! In other words, if you want to trace-back the origin of a message, you cannot use the message header to discover the sender´s IP. I´ve consulted Trend´s support about that, and they say me that it´s a "product feature", *not* a bug. Well... If it is a "product feature", why it´s only present in the Win32 implementations, and not in *UX? Example: =============================================================================================== Microsoft Mail Internet Headers Version 2.0 Received: from smtp.domain1.com ([172.0.0.1]) by internal.domain1.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 20:02:08 -0300 Received: from smtp.domain1.com ([172.0.0.1]) by smtp.domain1.com with Microsoft SMTPSVC(5.0.2195.2966); Thu, 23 May 2002 20:02:08 -0300 Subject: Test =============================================================================================== In this header you see that the message was received by smtp.domain1.com from itself... it was registered by the SMTP daemon when it receives the Interscan (installed on the same machine) "re-transmition". It´s ok, but, where is the original sender´s IP??? I´ve tested it on a Interscan Viruswall 3.52 build 1375, but I think that it´s present on all Win32 versions. While Trend is a so-called security company, I´m affraid about other hidden "features" in it´s products. Pedro Quintanilha Segurança da Informação Editora Abril s/a pquintanilha () abril com br +55-11-3037-4297
Current thread:
- TrendMicro Interscan VirusWall security problem Pedro Quintanilha (May 25)
- <Possible follow-ups>
- RE: TrendMicro Interscan VirusWall security problem Pedro Quintanilha (May 27)