TrendMicro Interscan VirusWall security problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there!

Iīve noted that Trendīs Interscan Viruswall has a horrendous "feature" in itīs WinNT/2K implementation, that is not present in *UX implementations.

In the most instalations Interscan listens on port 25 (SMTP), receives the message, scan it, and then re-send it to the "real" SMTP daemon (listening on another port), preserving the SMTP-header present in the message.
But, since it doesnīt includes a new line on SMTP-header with the senderīs IP, and doesnīt write any extra log including it (it just logs virus occurrences), the final message header will not contain the real senderīs IP!!

In other words, if you want to trace-back the origin of a message, you cannot use the message header to discover the senderīs IP.

Iīve consulted Trendīs support about that, and they say me that itīs a "product feature", *not* a bug.
Well... If it is a "product feature", why itīs only present in the Win32 implementations, and not in *UX?

Example:

===============================================================================================
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.domain1.com ([172.0.0.1]) by internal.domain1.com with Microsoft SMTPSVC(5.0.2195.4905);
	 Thu, 23 May 2002 20:02:08 -0300
Received: from smtp.domain1.com ([172.0.0.1]) by smtp.domain1.com with Microsoft SMTPSVC(5.0.2195.2966);
	 Thu, 23 May 2002 20:02:08 -0300
Subject: Test
===============================================================================================

In this header you see that the message was received by smtp.domain1.com from itself... it was registered by the SMTP daemon when it receives the Interscan (installed on the same machine) "re-transmition". Itīs ok, but, where is the original senderīs IP???

Iīve tested it on a Interscan Viruswall 3.52 build 1375, but I think that itīs present on all Win32 versions.

While Trend is a so-called security company, Iīm affraid about other hidden "features" in itīs products.



Pedro Quintanilha
Seguranįa da Informaįão
Editora Abril s/a
pquintanilha@abril.com.br
+55-11-3037-4297


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux