Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Fri, 24 Mar 2000 23:17:17 +0100


On Fri, 24 Mar 2000 alonr () eAladdin com wrote:

On Thu, 23 Mar 2000 alonr () eAladdin com wrote:

The trade off between performance and protection sufficiency is a well
known issue in the world of data security. As suggested by Mr. Van der
Kooij, it is possible to make files go through eSafe Gateway without
being
scanned for viruses, thus creating security holes. eSafe believes that
relying on file extension in order to avoid threats and virus assaults
is
highly efficient. This is definitely not due to a "flawed design". We,
at
eSafe, believe that it is possible to achieve a high level of security
and
privacy, while relying on the files extensions. In order to gain good
security, and, at the same time, good network performance, it is
possible
(and recommended) to avoid scanning of files that are predefined as
"Safe"
(or files that are not defined as "Dangerous"). It would often be
redundant
to scan each and every file which goes through the system.

The fact that ESP does not allow a security officer to make a company
strategy but forces a strategy upon it's customers is dangerous and for
some clients unacceptable.

You may have overlooked the paragraph prior to that one: It is possible to
inspect each and every file on the system. eSafe Gateway allows any system
administrator implement any company security policy. Again, we believe that
cutting down the number of files which are defined as dangerous is an
optimal balance, but a worried administrator can avoid that policy and
suspect any file regardless of its extension.

The lab tests performed by my client and duplicated in my own lab have
proven that any file using the MIME header TEXT/HTML is passed without
verificationi regardless of the extension. We used all settings as
advocated by your Dutch office to stop and scan ALL files.

Using another vendor's CVP server I was able to verify the issue was not a
FireWall-1 problem but in fact that of the ESPG CVP server. Trend Micro
did find the virus in both TEXT/PLAIN and TEXT/HTML MIME types.

I suggest you try the case with HTTP resources on a FireWall-1 v4.0 SP4
installed on a Nokia IP-440 with IPSO v3.2.0 to duplicate the test before
claiming to be bugfree.

I also suggest you verify things with the Dutch office where I did report
the issue some time ago.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
    email is a clear intrusion of my privacy and illegal!



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]