Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: alonr () EALADDIN COM (alonr () EALADDIN COM)
Date: Thu, 23 Mar 2000 16:29:41 +0200

Dear Sir/Madam,

Referring the message quoted below, initiated by Mr. Hugo van der Kooij , I
would like to bring up a few points opposing the analysis of our product,
eSafe Protect Gateway for CVP firewalls version 2.1 (also known as eSafe

eSafe Gateway, integrated with Checkpoint's "Firewall-1", offers a high
level of reliable security and privacy, and an easy to use powerful
configuration interface. eSafe Gateway's excellent security policy is
obtained by a combination of a powerful virus and vandal scanning engine
for files and applets, high level content security, and additional personal
privacy key features. eSafe Gateway's anti-virus file security is based
upon a policy by which files can either be considered "Dangerous" or
"Safe".  This is determined by the files extensions.

This should not be a surprise to Mr. Van der Kooij, that eSafe's security
policy does not have to depend on files extensions. A network
administrator, worried lest malicious files should enter his network due to
a scenario described hereinafter, has an option to scan files regardless of
their extensions. Such a solution would usually be redundant, and cost in
network performance, which is often considered valuable. The procedure by
which such a configuration is set up is described by Mr. Van der Kooij

The trade off between performance and protection sufficiency is a well
known issue in the world of data security. As suggested by Mr. Van der
Kooij, it is possible to make files go through eSafe Gateway without being
scanned for viruses, thus creating security holes. eSafe believes that
relying on file extension in order to avoid threats and virus assaults is
highly efficient. This is definitely not due to a "flawed design". We, at
eSafe, believe that it is possible to achieve a high level of security and
privacy, while relying on the files extensions. In order to gain good
security, and, at the same time, good network performance, it is possible
(and recommended) to avoid scanning of files that are predefined as "Safe"
(or files that are not defined as "Dangerous"). It would often be redundant
to scan each and every file which goes through the system.

It is agreed that files renaming is a common action that can be easily
performed by anyone who can use an alphanumeric keyboard, but If a hacker
sends an infected executable file masqueraded with a "TXT" or an "MPG"
extension, it is the user's job to get the file, save it to his local disk,
rename it to a valid executable, and then run it. Such a user can also
bring an infected floppy disk from home and spread a virus in the company's
internal network, or format his own hard disk manually. The damage and the
user's involvement in damaging the system would be more or less equivalent.

Another aspect of HTTP file protection taken by eSafe is the file's header
which contains extra information about the file type (Mime type). It is
indeed possible make an HTTP server transfer any file with a false mime
type field. Note that HTTP clients (web browsers) treat files by their mime
type. Files that are transferred by a mime of "text/html" would be opened
in the browser window, and not considered as an executable that should be
saved to disk. In order to pass an infection in such a case, the user
should once again get highly involved: Open the browser window, initiate a
"Save As..." procedure manually to the local disk and run the file. Also,
note that transferring files in a "text/html" mime type would usually
result in a conversion of the file to ASCII format, and will be displayed
in the browser window with no control characters. Therefore, even saving
and running the file would fail.

In conclusion, Mr. Van der Kooij has insinuated that according to eSafe
there is "No fix available". The subject described above is not a bug, nor
a security problem. Hence, no fix is needed. eSafe Gateway provides
excellent security and safe network environments.


Alon Rotem
Software Engineer

Phone: [+972 4] 8811441
e-mail: alonr () eAladdin com
Listen to my music at:

Aladdin. Securing The Global Village

Ashlag 22, Haifa, Israel
Tel:   +972 4 872-8899 Fax: +972 4 872-9966
Visit us at our Web site!  http://www.esafe.com

Aladdin supports Idealist. Visit http://www.idealist.org

On 23/03/2000 10:58:00 ZE2 Ronen Mor wrote:

this is a mail we received from "Misrad Haozar", which holding PO
of renewal to their updates of ESG.
please send your comment ASAP to oren marom.


Ronen Mor

Regional Manager
Enterprise Security Unit
Aladdin Knowledge Systems
ronenm () eAladdin com

Aladdin. Securing the Global Village.
P.O. Box 11141,  Tel Aviv 61110 Israel
Tel:   +972 3 636-2222; Fax: +972 3 537-5796
Visit us at our Web site!  http://www.eAladdin.com

Aladdin supports Idealist. Visit http://www.idealist.org

----- Forwarded by Ronen Mor/TLV/AKS on 23/03/00 10:54 -----

   Oren Marom
   23/03/00 10:48

         To: Ronen Mor/TLV/AKS () AKS
         Subject: ESPG


                          Oren Marom
                      Account Manager

                   Enterprise Security Unit
            Aladdin Knowledge Systems LTD

         Tel: 03-6362316, Cellular: 053-603555
                E-mail: orenm () eAladdin com
                          Fax :03-6362318

Aladdin. Securing the Global Village.
P.O. Box 11141,  Tel Aviv 61110 Israel
Tel:   +972 3 636-2222; Fax: +972 3 537-5796
Visit us at our Web site!  http://www.eAladdin.com

Aladdin supports Idealist. Visit http://www.idealist.org

----- Forwarded by Oren Marom/TLV/AKS on 03/23/00 10:47 AM -----

   boaz () mof gov il
   03/23/00 10:43 AM

         To: orenm () aks com
         Subject: ESPG

--------------------------- 23/03/2000 10:37 -á áåòæ ãåìá/îàåø/àåöø ðùìç


Doron Shikmoni <doron () isoc org il> - 22/03/2000 20:18:05

          boaz, eddie () sela co il, yuval, ponga

   [Fwd: Esafe Protect Gateway (CVP) does not scan virus under


-------- Original Message --------

Date:         Tue, 21 Mar 2000 09:24:35 +0100
From: Hugo.van.der.Kooij () CAIW NL
Subject:      Esafe Protect Gateway (CVP) does not scan virus under some

After notification of the manufacturer here is the full report on a
problem noted with Esafe Protect Gateway.


The Esafe Protect Gateway (ESPG) does not scan some files in combination
with FireWall-1 and CVP.


If you want the Esafe Protect Gateway to scan all content for the presence
of a virus you have two options.

1. Choose to scan anything not listed in the 'safe file types' list. And
   then clear out all entries in that list.

2. Choose to scan only files listed in the 'dangerous file types' list.
   And then have only one extension listed namely '*'.

Deciding to rely on extensions seems an indication of a flawed design
allready. Renaming files is a common practice and can be done by anyone
capable of operating a keyboard.

The problem is that anything with the MIME type set to TEXT/HTML will not
be scanned regardless of the options recommended above.

A simple test was capable of pointing this out.

Setup a default Apache server. Copy a virusfile to two location being
http://website/test1.txt and http://website/test1.html and try to download
them with your favorite browser. The URL is unique and was never used by
your browser to minimize the possibilities of caches being in place. But
forced reloads work properly and are sufficiant if you want to replicate
this issue.

Downloading http://website/test1.html dows nothing to detect the virus and
it is yours. No protection is offered. Downloading
http://website/test1.txt will not work as ESPG will now intercept the file
contain the virus.

By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and
*.html as MIME type TEXT/PLAIN you can now test with
http://website/test2.txt and http://website/test2.html to verify things.
Downloading http://website/test2.txt will get you infected as ESPG will
not scan the file. And downloading http://website/test2.html will not work
as ESPG detects the virus and will prevent it from downloading.


Esafe Protect Gateway can at present not be trusted to protect you from
downloading a virus.


    Esafe Protect Gateway v2.1 build 98.
    Virus tables dated March 15, 2000.


    Manufacturer notified.
    No fix available.
    Results have not been confirmed yet.

    However I was able to verify that the problem lies with Esafe and
    not with Check Point by using Trend Micro's CVP server instead
    which did not suffer from the same problem.


Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl    http://home.kabelfoon.nl/~hvdkooij/
Use of any of my email addresses for unsollicited (commercial)
   email is a clear intrusion of my privacy and illegal!

Yehavi Bourvine (4X6DD),                Phone:  +972-2-6585684     H
Computation Center,                 Emergency:  +972-50-975544     H
The Hebrew University of Jerusalem,                                H
Givat-Ram,  91904 Jerusalem,  Israel                               H H H
                                          Fax: +972-2-6527349     HH H
                                                                  H   H
Email:   YEHAVI () VMS HUJI AC IL                                    H
URL:     http://www.huji.ac.il/                                  H

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]