• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Trend Micro InterScan VirusWall Space Gap Scan Bypass Vulnerability

Severity: HIGH

Description:

Trend Micro InterScan VirusWall is a high performance internet gateway virus scanning package. It is capable of scanning incoming content over HTTP, SMTP and FTP for viruses and other malicious code.

A vulnerability has been reported in VirusWall 3.52 builds prior to 1466. Reportedly, it is possible to bypass the scanning mechanism of VirusWall by adding extraneous spaces in certain email HTTP header fields.

A malicious email server may add extraneous whitespace in certain email headers. This would cause VirusWall to ignore the malicious email and not scan it. However, many popular email client programs, including Outlook, will ignore this header and display the content regardless. This may allow malicious content to bypass VirusWall and still be interpreted by a client system.

An attacker can make the following modifications to the following fields and bypass email scanning by VirusWall:
1) Replace "Content-Type:" with "Content-Type :"
2) Replace "Content-Transfer-Encoding:" with "Content-Transfer-Encoding :"
3) Replace ' boundary="----=_NextPart_000_000E_01C2100B.F369D840"' with 'boundary=----=_NextPart_000_000E_01C2100B.F369D840 '
4) Replace ' boundary="----=_NextPart_000_000E_01C2100B.F369D840"' with 'boundary= ----=_NextPart_000_000E_01C2100B.F369D840'

This vulnerability has been reported for VirusWall 3.52 build 1375 on Microsoft Windows platforms. It is not known whether other platforms are affected.

Affected Products:

• Trend Micro InterScan VirusWall for Windows NT 3.52.0

References:

• SecuriTeam: TrendMicro's VirusWall Space Gap (Virus Protection Bypassing)
• Trend Micro: InterScan VirusWall Product Home Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.