Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Esafe Protect Gateway (CVP) does not scan virus under some conditions

From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Tue, 21 Mar 2000 09:24:35 +0100

Hi,
After notification of the manufacturer here is the full report on a
problem noted with Esafe Protect Gateway.

SUMMARY
-------

The Esafe Protect Gateway (ESPG) does not scan some files in combination
with FireWall-1 and CVP.

DETAILS
-------

If you want the Esafe Protect Gateway to scan all content for the presence
of a virus you have two options.

 1. Choose to scan anything not listed in the 'safe file types' list. And
    then clear out all entries in that list.

 2. Choose to scan only files listed in the 'dangerous file types' list.
    And then have only one extension listed namely '*'.

Deciding to rely on extensions seems an indication of a flawed design
allready. Renaming files is a common practice and can be done by anyone
capable of operating a keyboard.

The problem is that anything with the MIME type set to TEXT/HTML will not
be scanned regardless of the options recommended above.

A simple test was capable of pointing this out.

Setup a default Apache server. Copy a virusfile to two location being
http://website/test1.txt and http://website/test1.html and try to download
them with your favorite browser. The URL is unique and was never used by
your browser to minimize the possibilities of caches being in place. But
forced reloads work properly and are sufficiant if you want to replicate
this issue.

Downloading http://website/test1.html dows nothing to detect the virus and
it is yours. No protection is offered. Downloading
http://website/test1.txt will not work as ESPG will now intercept the file
contain the virus.

By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and
*.html as MIME type TEXT/PLAIN you can now test with
http://website/test2.txt and http://website/test2.html to verify things.
Downloading http://website/test2.txt will get you infected as ESPG will
not scan the file. And downloading http://website/test2.html will not work
as ESPG detects the virus and will prevent it from downloading.

CONCLUSION
----------

Esafe Protect Gateway can at present not be trusted to protect you from
downloading a virus.

VERSIONS
--------

        Esafe Protect Gateway v2.1 build 98.
        Virus tables dated March 15, 2000.

STATUS
------

        Manufacturer notified.
        No fix available.
        Results have not been confirmed yet.

        However I was able to verify that the problem lies with Esafe and
        not with Check Point by using Trend Micro's CVP server instead
        which did not suffer from the same problem.

Hugo.


--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
    email is a clear intrusion of my privacy and illegal!
Previous By Date Next
Previous By Thread Next

Current thread: