HTTP: Multiple AV Vendor Invalid Archive Checksum Bypass

This signature detects attempts against a known vulnerability in the way multiple anti-virus products scan ZIP archive files. A malicious ZIP archive containing known trojans or viruses may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behavior.

Extended Description

Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection. This issue arises when an affected application processes a ZIP archive with an invalid CRC-32 checksum. It should be noted that affected software may possibly detect a malicious file in the archive when it is decompressed or scanned manually. The discoverer of this vulnerability has reported that this issue affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by McAfee, and BitDefender. Symantec products were not found to be vulnerable to the issue. **Update: Symantec believes that the impact of this issue is low. This is because an archive handler processing an archive that possesses a corrupt CRC-32 checksum will fail, reporting that the archive is corrupt. This would mean that a malicious file contained in such an archive would not be directly accessible to a target recipient user. Alternatively, if the CRC-32 checksum is corrected manually by the recipient user and the file is extracted, it will likely be detected by client-side Anti-Virus solutions during the file extraction routine. This detection will likely occur before the malicious file is directly processed by the end user.

Affected Products

Softwin bitdefender

References

BugTraq: 12771

Short Name
HTTP:MISC:AV-INVALID-CHKSUM
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
AV Archive Bypass Checksum Invalid Multiple Vendor bid:12771
Release Date
05/29/2013
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3375
False Positive
Unknown
Vendors

Symantec

Mcafee

Sybari_software

Softwin

H+bedv

Avg

Found a potential security threat?