Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Fri, 3 Feb 2006, [ISO-8859-9] Mert Sar?ca wrote:

> http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html
>
> Some people say this method works also on Trend Micro InterScan
> Messaging Security Suite and InterScan Web Security Suite. I really
> appreciate if you use one of these and can able to test.

All gateway products like IMSS and IWSS can be defined to drop any archive
file that exceeds any of the given limits.

In fact in my installation today I verified this to be the default setting
for IMSS v5.7 and IWSS v2.5 and that these settings may in fact be
relative low for practical application. (In fact resulting in archive
files being dropped just because the archive contained to many files.)

ServerProtect is different as it works on files allready present. It
however reports an problem to which one should attend. So any file which
could not be scanned completely should be considered as suspect by the
operator.

Considering that on-access scanning can make a server crawling slow if you
choose to increase the limits in the article shown it may result in a
trade-off that may not catch all of the infections in real-time.

Settings for a batch scan should be more handled differently and here the
default values are too low in my (not so humble) opinion.

Hugo.

-- 
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooij () vanderkooij org             http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.