Bugtraq mailing list archives

TrendMicro Interscan VirusWall security problem

From: "Pedro Quintanilha" <PQuintanilha () abril com br>
Date: Fri, 24 May 2002 15:05:05 -0300

Hi there!

I´ve noted that Trend´s Interscan Viruswall has a horrendous "feature" in it´s WinNT/2K implementation, that is not 
present in *UX implementations.

In the most instalations Interscan listens on port 25 (SMTP), receives the message, scan it, and then re-send it to the 
"real" SMTP daemon (listening on another port), preserving the SMTP-header present in the message.
But, since it doesn´t includes a new line on SMTP-header with the sender´s IP, and doesn´t write any extra log 
including it (it just logs virus occurrences), the final message header will not contain the real sender´s IP!!

In other words, if you want to trace-back the origin of a message, you cannot use the message header to discover the 
sender´s IP.

I´ve consulted Trend´s support about that, and they say me that it´s a "product feature", *not* a bug.
Well... If it is a "product feature", why it´s only present in the Win32 implementations, and not in *UX?

Example:

===============================================================================================
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.domain1.com ([172.0.0.1]) by internal.domain1.com with Microsoft SMTPSVC(5.0.2195.4905);
         Thu, 23 May 2002 20:02:08 -0300
Received: from smtp.domain1.com ([172.0.0.1]) by smtp.domain1.com with Microsoft SMTPSVC(5.0.2195.2966);
         Thu, 23 May 2002 20:02:08 -0300
Subject: Test
===============================================================================================

In this header you see that the message was received by smtp.domain1.com from itself... it was registered by the SMTP 
daemon when it receives the Interscan (installed on the same machine) "re-transmition". It´s ok, but, where is the 
original sender´s IP???

I´ve tested it on a Interscan Viruswall 3.52 build 1375, but I think that it´s present on all Win32 versions.

While Trend is a so-called security company, I´m affraid about other hidden "features" in it´s products.



Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
pquintanilha () abril com br
+55-11-3037-4297

Current thread:

TrendMicro Interscan VirusWall security problem Pedro Quintanilha (May 25)
- <Possible follow-ups>
- RE: TrendMicro Interscan VirusWall security problem Pedro Quintanilha (May 27)