Short Name |
HTTP:MISC:AV-INVALID-CHKSUM |
---|---|
Severity |
Minor |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Multiple AV Vendor Invalid Archive Checksum Bypass |
Release Date |
2013/05/29 |
Update Number |
2268 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts against a known vulnerability in the way multiple anti-virus products scan ZIP archive files. A malicious ZIP archive containing known trojans or viruses may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behavior.
Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection. This issue arises when an affected application processes a ZIP archive with an invalid CRC-32 checksum. It should be noted that affected software may possibly detect a malicious file in the archive when it is decompressed or scanned manually. The discoverer of this vulnerability has reported that this issue affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by McAfee, and BitDefender. Symantec products were not found to be vulnerable to the issue. **Update: Symantec believes that the impact of this issue is low. This is because an archive handler processing an archive that possesses a corrupt CRC-32 checksum will fail, reporting that the archive is corrupt. This would mean that a malicious file contained in such an archive would not be directly accessible to a target recipient user. Alternatively, if the CRC-32 checksum is corrected manually by the recipient user and the file is extracted, it will likely be detected by client-side Anti-Virus solutions during the file extraction routine. This detection will likely occur before the malicious file is directly processed by the end user.