TUCoPS :: General Information :: mult5684.htm

Bypassing VirusWall
13th Sep 2002 [SBWID-5684]
COMMAND

	
		Bypassing TrendMicro InterScan VirusWall
	
	

SYSTEMS AFFECTED

	
		 * InterScan VirusWall 3.6 Readhat 7.0 is vurlnerable to chunk transfert encoding.

		

		 * InterScan VirusWall 3.52 Windows is vurlnerable to both chunk transfert encoding  

		   and gzip content encoding.

		
	
	

PROBLEM

	
		Vincent Royer of Althes [http://www.althes.fr/] posted :
		

		According to our tests, TrendMicro VirusWall can be bypassed when  using
		:
		

		 * HTTP 1.1 chunked transfert encoding.

		 * HTTP 1.0 gzip content encoding for Windows platforms only.

		

		While HTTP/1.0 includes the  Content-Encoding  header,  which  indicates
		the end-to-end content-coding(s) used for a message, HTTP/1.1  adds  the
		Transfer-Encoding    header,    which    indicates    the     hop-by-hop
		transfer-coding(s) used for a message. Thus,  compression  can  be  done
		either as a content-encoding or as a transfer-encoding.
		

		        The gzip Content Encoding

		

		Downloading a zipped file doesn't mean that  the  gzip  content-encoding
		is used. In this case you will get  a  response  where  content-type  is
		application/zip (see zip-file.txt trace).  In  the  following  examples,
		our web server is configured to use the gzip content-encoding.
		

		        The Chunk Transfert Encoding

		

		With the HTTP 1.1 chunked transfert  encoding,  the  sender  breaks  the
		message body into chunks of arbitrary length, and  each  chunk  is  sent
		with its length prepended. The chunked transfert encoding is  used  when
		the HTTP server does not known the response  message  length,  which  is
		always the case when using gzip compression.
		

		        Proxy chaining may use HTTP 1.1 when :

		

		* your MS Internet Explorer  is  configured  to  use  it  (see  advanced
		options) * your  proxy  chaining  architecture  requires  HTTP  1.1  for
		perfomance issue
		

		Although TrendMicro Interscan Virsuwall 3.x is not supposed  to  support
		HTTP 1.1, malicous files are correctly blocked over HTTP1.1 without  the
		chunked transfert encoding. So, many users are probably using HTTP  1.1,
		leaving their systems vulnerable to virus  or  trojan  attacks.  Windows
		users, may download any virus located on a web server that use the  HTTP
		1.0 gzip content encoding.
	
	

SOLUTION

	
		 * Use HTTP 1.0 for proxy chaining

		

		 * According to TrendMicro, InterScan Virswall version 5 should support

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH