Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Trend Micro InterScan VirusWall Content-Length Scan Bypass Vulnerability

Trend Micro InterScan VirusWall Content-Length Scan Bypass Vulnerability

by Nikola Strahija on March 13th, 2002 Trend Micro InterScan VirusWall is a high performance internet gateway virus scanning package. It is capable of scanning incoming content over HTTP, SMTP and FTP for viruses and malicious code.


A vulnerability has been reported in some versions of VirusWall. An option exists called "Skip scanning if Content-length equals 0", which is enabled by default. A malicious web server may return infected content with this header set to 0, and bypass the VirusWall scanner. As many popular client programs will ignore this header and display the content, this may allow malicious content to bypass VirusWall and still be interpreted by a client system.

Other versions of VirusWall may share this vulnerability. This has not been confirmed.

Remote: Yes

Exploit: No exploit is required.

A demo server has been provided by Inside Security GmbH:

http://www.inside-security.de/vwall_cl0_poc.html

Solution: Disable the "Skip scanning if Content-length equals 0" option in the HTTP proxy configuration using the VirusWall web administration interface. When disabled certain sites may display slowly, in this case the "server timeout" value on the advanced configuration page should be configured to a smaller value.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »