Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: MLea () MPI MB CA (Lea, Michael)
Date: Fri, 24 Mar 2000 16:17:52 -0600

Alon Rotem wrote:
As I wrote in my reply , if you are afraid of such incidents, you may
configure eSafe Gateway scan each and every file, regardless of their
extension. Of course this will have an effect on your network performance,
since the majority of files going though the net are not harmful.
A worried administrator can implement this alternative configuration
seconds. There is no 100% security, but eSafe Gateway offers a very good,
very reliable, solution for any network administrator.

If it was as simple as setting eSafe to scan all file extensions, I don't
think anybody would have a problem.  But what some people seem to be missing
here is the second part of Hugo's message:

Hugo van der Kooij wrote:
The problem is that anything with the MIME type set to TEXT/HTML will not
be scanned regardless of the options recommended above.

Even if the eSafe Gateway is configured to check all file-types, it still
passes through files with a MIME type of text/html, regardless of extension.
There doesn't seem to be a way of turning this off and scanning all MIME

People also seem to be missing the fact that this affects not only HTTP
traffic, but also e-mail messages.

Here's an easy illustration, that doesn't require any abnormal intervention
on the part of the "victim".  An attacker sends a document infected with his
favorite macro virus to his victim in an e-mail message.  The attachment is
identified with a MIME type of text/html, so the eSafe Gateway passes it
through unchallenged.  The victim double-clicks on the attachment and the
mail client opens the document in the appropriate program, possibly without
any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents
... others?).  Voila!  You've just infected your first victim.

At a bare minimum, the eSafe Gateway should give the option of scanning all
files, regardless of MIME type.  Ideally, it would also have the option of
examining the CONTENT of the file to determine whether or not it is worth
scanning.  Using "magic numbers" to identify files is nothing new.  Unix
people can take a look at the "file" which has been using this concept to
identify file types almost since the beginning of time.

I hope everybody's got current anti-virus signatures on their workstations.

Michael Lea
Information Security
Manitoba Public Insurance
Phone: (204) 985-8224

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]