Check Point Advisories

Multiple Vendor AntiVirus Extended ASCII Filename Scan Bypass

Check Point Reference: CPAI-2005-309
Date Published: 15 Dec 2009
Severity: High
Last Updated: Tuesday 15 December, 2009
Source:
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description Anti-Virus (AV) scanner software is provided by numerous vendors to enable the detection of the transfer or existence of known malicious software. There are two main scanning strategies implemented by most AV scanners - on-demand and on-access scanning. On-demand scanning occurs when a user voluntarily requests a scan to be performed, either on specific files or the whole file system. The AV scanner is thus manually activated by the user. The second mode of operation, on-access scanning, occurs when the virus scanner automatically invokes itself to examine the computer's memory and file system each time these resources are accessed by a program. AntiVirus products from several vendors are affected by a virus scan bypass vulnerability. The vulnerability may allow an attacker to deliver a known virus to a target host while evading the virus scan. Exploitation of this flaw may cause the target host to compromise. The virus scan protection of the vulnerable AntiVirus products is evaded as a result of an attack. The targeted host will not experience any visible change in behavior as a result of this evasion. The malicious file will be saved on the target system and may aid in further attacks.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Multiple Vendor AntiVirus Extended ASCII Filename Scan Bypass protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Security Products Enforcement Violation.
Attack Information:  Multiple vendor AntiVirus extended ASCII filename scan bypass

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK