Trend Micro Interscan Viruswall: missing whole_file_scan=yes let pass at least one Sobig.f eMail

["Dr. Peter Bieringer" <pbieringer () aerasec de>]

Hi,

seen on Interscan Viruswall for Linux 3.8 Build 1080, one email containing 
a Sobig.f passed the scanner without any detection.

A Trend Micro "vscan" run on the received plain mail will detect the virus.

Response from support: add in section "[smtp]" option "whole_file_scan=yes"

Interesting, looks like the default is "no" (very dangerous imho), also it 
looks like this option is neither documented nor changeable via web 
interface.

Probably not only Linux versions are involved and perhaps lower version, 
too.

Google reports only 3 hits about this option, all in Japaneese.
Looks like this issue rised up already earlier, but don't find a way into 
docs or web interface.

(Perhaps they had scan speed problems some time ago and decided to 
implement such dangerous option...as told, default is: not scanning the 
whole file = message).

BTW: If someone would test this kind of Sobig.f mail, send a note and I 
will send it in an email to you, if the requests are low in number...

Hope this helps,
        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html