F-Secure
Tools
Security Advisory FSC-2006-4
Scanning bypass vulnerability in antivirus products for Windows
| Date issued | 2006-06-28 |
|---|---|
| Last updated | 2006-06-28 |
| Risk factor | High (Low/Medium/High/Critical) |
| Brief description | Antivirus products for Windows client and server systems fail to detect malware under certain circumstances. Failures of this kind may lead to malware infections on protected systems. Linux, Mobile and Windows-based gateway products are not affected by the vulnerability. |
| Software | F-Secure Anti-Virus client and server products for the Windows operating system |
| Affected versions | F-Secure Anti-Virus 2003 - 2006 F-Secure Internet Security 2003 - 2006 F-Secure Service Platform for Service Providers 6.xx and earlier F-Secure Anti-Virus for Workstations version 5.44 and earlier F-Secure Anti-Virus Client Security version 6.01 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.50 - 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express |
| Affected platforms | Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 Some of the affected product versions support other platforms than those mentioned above. Installations on such platforms are not affected by the vulnerability. |
| Advisory location | http://www.f-secure.com/security/fsc-2006-4.shtml |
| Issue | The advisory and issued hotfixes address two separate scenarios that both can lead to malware bypass. 1. The name of an executable program has been modified in a certain way. This leads to scanning failure despite the fact that it may be possible to execute the file. 2. The product fails to scan files on removable media. This occurs only in certain configurations where the Scan network drives option has been disabled. Both scenarios may lead to system infection as the real-time scanner may grant permission to execute program files even if they are infected.The vulnerability cannot, to F-Secure's knowledge, be used for privilege escalation attacks or to gain remote access to affected systems. |
| Products | F-Secure Anti-Virus 2003 - 2006 F-Secure Internet Security 2003 - 2006 F-Secure Service Platform for Service Providers 6.xx and earlier Co-branded service provider concepts based on one of the above products Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express |
| Risk factor | Medium |
| These systems are affected by the vulnerability but the needed hotfixes are distributed automatically to all the affected systems. Users do not need to take any actions. | |
| Products | F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier |
| Risk factor | Medium |
| These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available. |
|
| Products | All other affected products |
| Risk factor | High |
| All these products are typically used on systems where programs are executed both from the hard drive and removable media. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available. |
|
| Mitigating factors |
|
Available patches and upgrades:
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Anti-Virus 2003 - 2006 | Hotfix distributed automatically, no user actions needed. | ||
| F-Secure Internet Security 2003 - 2006 | Hotfix distributed automatically, no user actions needed. | ||
| F-Secure Personal Express | 5.xx and earlier | Hotfix distributed automatically, no user actions needed. | |
| F-Secure Internet Security for Service Providers | 6.xx | Hotfix distributed automatically, no user actions needed. | |
| F-Secure Anti-Virus for Workstations | 5.42 - 5.44 | Hotfix fsavwk620-02: ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix or upgrade with remote installation package 5.44 build 12250 ftp://ftp.f-secure.com/support/hotfix/fsav/fsav_5.44-wks-12250-signed.jar | |
| F-Secure Anti-Virus Client Security version | 5.54 - 6.01 | Hotfix fsavwk620-02: ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix or upgrade with remote installation package 5.55SR3, 5.58 or 6.02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.55-SR3-12251-signed.jar ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.58-12250-signed.jar ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_6.02-12250-signed.jar | |
| F-Secure Anti-Virus for Windows Servers | 5.50 - 5.52 | Hotfix fsavsr552-05 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix or upgrade with remote installation package 5.52 build 12250 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav_5.52-srv-12250-signed.jar | |
| F-Secure Anti-Virus for Citrix Servers | 5.50 - 5.52 | Hotfix fsavsr552-05: ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix | |
| F-Secure Anti-Virus for MIMEsweeper | 5.61 | Hotfix fsavsr552-05: ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix | |
| Revision history | FSC-2006-4 / 2006-06-28 |
|---|
Contact information:
Support: http://www.f-secure.com/en_EMEA/support/