|Check Point Reference:||CPAI-2005-322|
|Date Published:||11 Feb 2010|
|Last Updated:||31 Jan 2017|
|Protection Provided by:||
|Who is Vulnerable?|
|Vulnerability Description||Anti-Virus (AV) software is meant to search for known viruses embedded in accessed or transferred files. The products are also known as virus scanners. Most virus scanners use a database of known binary patterns of viruses in order to identify trojans and other malware. The number of recognizable patterns is rather large in most of the popular AV product lines. In order to check every file on the file system, during a filesystem scan, every file would have to be analyzed to determine if it contains a known malicious pattern. As this would take an unacceptable amount of time, AV products attempt to determine the type of the file which is to be scanned before all patterns are checked against it. This method allows the scanner to scan a given file only for the binary patterns that correspond to its type. For example, a known JPEG virus patterns will not be searched for in a Windows executable file.AntiVirus products from several vendors are prone to a detection evasion vulnerability. The flaw is caused when the vulnerable AV determines the type of a file that it is scanning. The vulnerability may allow an attacker to deliver a known virus to a target host while evading the virus scan.The virus scan protection of the vulnerable AntiVirus products is evaded as a result of an attack. The targeted host will not experience any visible change in behaviour as a result of this evasion. The malicious virus file will be saved on the target system and may reside on the filesystem undetected for an indeterminate amount of time.|
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: Security Products Enforcement Violation.
Attack Information: Multiple Vendor Anti-Virus Magic Byte Detection Evasion