[security-alerts] FW: [SA17183] McAfee Anti-Virus Engine Malformed ARJ Archive Virus Detection Bypass

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> TITLE:
> McAfee Anti-Virus Engine Malformed ARJ Archive Virus Detection Bypass
> 
> SECUNIA ADVISORY ID:
> SA17183
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/17183/
> 
> CRITICAL:
> Not critical
> 
> IMPACT:
> Security Bypass
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> McAfee GroupShield 6.x for Microsoft Exchange
> http://secunia.com/product/3615/
> McAfee GroupShield for Exchange 2000 5.x
> http://secunia.com/product/225/
> McAfee GroupShield for Exchange 5.5 v4.x
> http://secunia.com/product/353/
> McAfee GroupShield for Exchange 5.5 v5.x
> http://secunia.com/product/224/
> McAfee GroupShield for Lotus Domino on AIX 5.x
> http://secunia.com/product/229/
> McAfee GroupShield for Lotus Domino on Windows 5.x
> http://secunia.com/product/230/
> McAfee GroupShield for Mail Servers with ePO
> http://secunia.com/product/4797/
> 
> DESCRIPTION:
> fRoGGz has reported a weakness in McAfee Anti-Virus scan engine,
> which can be exploited by malware to bypass certain scanning
> functionality.
> 
> For more information:
> SA17126
> 
> The weakness affects version 4.4.0 (database version 4602) when
> scanning malformed ".arj" archives. Other versions may also be
> affected.
> 
> NOTE: This is not an issue on client systems, as the malware is still
> detected upon execution by the desktop on-access scanner.
> 
> SOLUTION:
> Database version 4603 is able to detect some malformed ".arj"
> archives. Certain malformed ".arj" archives are still not detected.
> 
> Desktop on-access scanner should be used to ensure that the malware
> is detected upon extraction.
> 
> Filter all compressed file archives at border gateways if they are
> not required.
> 
> PROVIDED AND/OR DISCOVERED BY:
> fRoGGz, SecuBox Labs
> 
> OTHER REFERENCES:
> SA17126:
> http://secunia.com/advisories/17126/
> 
> ----------------------------------------------------------------------