Bugtraq mailing list archives
Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.
From: Mert SARICA <mert.sarica () gmail com>
Date: Mon, 6 Feb 2006 09:12:26 +0200
---------- Forwarded message ---------- From: Mert SARICA <mert.sarica () gmail com> Date: 05.Şub.2006 13:59 Subject: Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. To: prashant.meswani () ukonline co uk Of course it is a real threat. ZIP(500 empty text files + 1 KB VIRUS) = not detectable Does not it make any sense? What if somebody uses a portal server and secure that portal with secure protect and let users upload and download files? If it is a server protect it has to secure server. And the logical way for detecting must be checking both size and file count then skip instead of just counting files and skip. 05.02.2006 tarihinde Prashant Meswani <prashant.meswani () ukonline co uk> yazmış:
You need to weigh up the pros and cons of using the maximum number of files to scan in a compressed files option in any product. You have to ask yourself, if I extract all these files, what are the chances the infected file will be picked up by the real-time scanner against the option of scanning every single file in a compressed file and overutilising the CPU and memory resources on the server. Serverprotect is one of TrendMicro's first AV to corporate market and did not get much major development since release. Serverprotect has now been superceded by Officescan 7.x (which is supported on servers). Maybe it's worth looking at whether Officescan has the same issues and weigh up the risks of that issue in relation to the security of the server. Is 500+ files in a zip file that has not been scanned a real threat / security breach? Regards, Prashant Meswani. The opinions outlined in this email is that of my own and does not represent the Residents Association or any other organisation I am related to. -----Original Message----- From: Mert Sarıca [mailto:mert.sarica () gmail com] Sent: Friday, February 03, 2006 8:46 AM To: bugtraq () securityfocus com Subject: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html Some people say this method works also on Trend Micro InterScan Messaging Security Suite and InterScan Web Security Suite. I really appreciate if you use one of these and can able to test.
-- Saygılarımla, Mert Sarıca -- Saygılarımla, Mert Sarıca
Current thread:
- Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Mert Sarıca (Feb 03)
- Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Henrik Krohns (Feb 03)
- Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Hugo van der Kooij (Feb 03)
- RE: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Prashant Meswani (Feb 06)
- Message not available
- Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Mert SARICA (Feb 09)
- Message not available