F-Secure Security Bulletin FSC-2006-4
Scanning bypass vulnerability in antivirus products for Windows

Date issued	2006-06-28
Last updated	2006-06-28
Risk factor	High (Low/Medium/High/Critical)
Brief description	Antivirus products for Windows client and server systems fail to detect malware under certain circumstances. Failures of this kind may lead to malware infections on protected systems. Linux, Mobile and Windows-based gateway products are not affected by the vulnerability.
Software	F-Secure Anti-Virus client and server products for the Windows operating system
Affected versions	F-Secure Anti-Virus 2003 - 2006 F-Secure Internet Security 2003 - 2006 F-Secure Service Platform for Service Providers 6.xx and earlier F-Secure Anti-Virus for Workstations version 5.44 and earlier F-Secure Anti-Virus Client Security version 6.01 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.50 - 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express
Affected platforms	Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 Some of the affected product versions support other platforms than those mentioned above. Installations on such platforms are not affected by the vulnerability.
Bulletin location	http://www.f-secure.com/security/fsc-2006-4.shtml
Issue:	The advisory and issued hotfixes address two separate scenarios that both can lead to malware bypass. The name of an executable program has been modified in a certain way. This leads to scanning failure despite the fact that it may be possible to execute the file. The product fails to scan files on removable media. This occurs only in certain configurations where the Scan network drives option has been disabled. Both scenarios may lead to system infection as the real-time scanner may grant permission to execute program files even if they are infected.The vulnerability cannot, to F-Secure's knowledge, be used for privilege escalation attacks or to gain remote access to affected systems.
Products:	F-Secure Anti-Virus 2003 - 2006 F-Secure Internet Security 2003 - 2006 F-Secure Service Platform for Service Providers 6.xx and earlier Co-branded service provider concepts based on one of the above products Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express
Risk Factor:	Medium These systems are affected by the vulnerability but the needed hotfixes are distributed automatically to all the affected systems. Users do not need to take any actions.
Products:	F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
Risk Factor:	Medium These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available.
Products:	All other affected products
Risk Factor:	High All these products are typically used on systems where programs are executed both from the hard drive and removable media. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available.
Mitigating Factors:	Products for home users and service provider concepts use automatic hotfix distribution and will be patched without user actions. The ability to execute program files with modified names is decreased. Some of the methods that normally can be used to launch a program fail with files modified in this way. The scanning failure on removable media only occurs if the Scan network drives option has been turned off. Linux, Mobile and Windows-based gateway products are not affected by the vulnerability. The vulnerability only affects some of the platforms that the affected products support.
Patch and upgrade availability:
Product Versions Hotfix ID Download F-Secure Anti-Virus 2003 - 2006 - Hotfix distributed automatically, no user actions needed. F-Secure Internet Security 2003 - 2006 - Hotfix distributed automatically, no user actions needed. F-Secure Personal Express 5.xx and earlier Hotfix distributed automatically, no user actions needed. F-Secure Internet Security for Service Providers 6.xx Hotfix distributed automatically, no user actions needed. F-Secure Anti-Virus for Workstations 5.42 - 5.44 Hotfix fsavwk620-02: ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix Or upgrade with remote installation package 5.44 build 12250 ftp://ftp.f-secure.com/support/hotfix/fsav/fsav_5.44-wks-12250-signed.jar F-Secure Anti-Virus Client Security version 5.54 - 6.01 Hotfix fsavwk620-02: ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix Or upgrade with remote installation package 5.55SR3, 5.58 or 6.02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.55-SR3-12251-signed.jar ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_5.58-12250-signed.jar ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavcs_6.02-12250-signed.jar F-Secure Anti-Virus for Windows Servers 5.50 - 5.52 Hotfix fsavsr552-05 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix Or upgrade with remote installation package 5.52 build 12250 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav_5.52-srv-12250-signed.jar F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 Hotfix fsavsr552-05: ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix F-Secure Anti-Virus for MIMEsweeper 5.61 Hotfix fsavsr552-05: ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
Revision History:	FSC-2006-4 - 2006-06-28
Contact Information:	Support:  http://support.f-secure.com/enu/corporate/contactus/ Security: http://www.f-secure.com/security/ URL:       http://www.f-secure.com/