Check Point Advisories

Multiple Vendor Anti-Virus Magic Byte Detection Evasion

Check Point Reference: CPAI-2005-322
Date Published: 11 Feb 2010
Severity: Critical
Last Updated: Tuesday 31 January, 2017
Source:
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description Anti-Virus (AV) software is meant to search for known viruses embedded in accessed or transferred files. The products are also known as virus scanners. Most virus scanners use a database of known binary patterns of viruses in order to identify trojans and other malware. The number of recognizable patterns is rather large in most of the popular AV product lines. In order to check every file on the file system, during a filesystem scan, every file would have to be analyzed to determine if it contains a known malicious pattern. As this would take an unacceptable amount of time, AV products attempt to determine the type of the file which is to be scanned before all patterns are checked against it. This method allows the scanner to scan a given file only for the binary patterns that correspond to its type. For example, a known JPEG virus patterns will not be searched for in a Windows executable file. AntiVirus products from several vendors are prone to a detection evasion vulnerability. The flaw is caused when the vulnerable AV determines the type of a file that it is scanning. The vulnerability may allow an attacker to deliver a known virus to a target host while evading the virus scan. The virus scan protection of the vulnerable AntiVirus products is evaded as a result of an attack. The targeted host will not experience any visible change in behaviour as a result of this evasion. The malicious virus file will be saved on the target system and may reside on the filesystem undetected for an indeterminate amount of time.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Multiple Vendor Anti-Virus Magic Byte Detection Evasion protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Security Products Enforcement Violation.
Attack Information:  Multiple Vendor Anti-Virus Magic Byte Detection Evasion

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK