Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: alonr () EALADDIN COM (Alon Rotem)
Date: Sun, 26 Mar 2000 14:57:11 +0200


Hi,

Please let me correct you: attachments for emails that are sent in an HTML
format (i.e. in "text/html") are scanned according to your eSafe Gateway
policy rules. Thus, your predicted scenario will fail.

            Sincerely,
                Alon Rotem

On 24/03/2000 16:17:52 CST "Lea, Michael" wrote:

Alon Rotem wrote:
As I wrote in my reply , if you are afraid of such incidents, you may
configure eSafe Gateway scan each and every file, regardless of their
extension. Of course this will have an effect on your network
performance,
since the majority of files going though the net are not harmful.
A worried administrator can implement this alternative configuration
within
seconds. There is no 100% security, but eSafe Gateway offers a very
good,
very reliable, solution for any network administrator.

If it was as simple as setting eSafe to scan all file extensions, I don't
think anybody would have a problem.  But what some people seem to be
missing
here is the second part of Hugo's message:

Hugo van der Kooij wrote:
The problem is that anything with the MIME type set to TEXT/HTML will
not
be scanned regardless of the options recommended above.

Even if the eSafe Gateway is configured to check all file-types, it still
passes through files with a MIME type of text/html, regardless of
extension.
There doesn't seem to be a way of turning this off and scanning all MIME
types.

People also seem to be missing the fact that this affects not only HTTP
traffic, but also e-mail messages.

Here's an easy illustration, that doesn't require any abnormal
intervention
on the part of the "victim".  An attacker sends a document infected with
his
favorite macro virus to his victim in an e-mail message.  The attachment
is
identified with a MIME type of text/html, so the eSafe Gateway passes it
through unchallenged.  The victim double-clicks on the attachment and the
mail client opens the document in the appropriate program, possibly
without
any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents
... others?).  Voila!  You've just infected your first victim.

At a bare minimum, the eSafe Gateway should give the option of scanning
all
files, regardless of MIME type.  Ideally, it would also have the option of
examining the CONTENT of the file to determine whether or not it is worth
scanning.  Using "magic numbers" to identify files is nothing new.  Unix
people can take a look at the "file" which has been using this concept to
identify file types almost since the beginning of time.

I hope everybody's got current anti-virus signatures on their
workstations.
:-(

Michael Lea
Information Security
Manitoba Public Insurance
Phone: (204) 985-8224


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]