Bugtraq mailing list archives
Esafe Protect Gateway (CVP) does not scan virus under some conditions
From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Tue, 21 Mar 2000 09:24:35 +0100
Hi, After notification of the manufacturer here is the full report on a problem noted with Esafe Protect Gateway. SUMMARY ------- The Esafe Protect Gateway (ESPG) does not scan some files in combination with FireWall-1 and CVP. DETAILS ------- If you want the Esafe Protect Gateway to scan all content for the presence of a virus you have two options. 1. Choose to scan anything not listed in the 'safe file types' list. And then clear out all entries in that list. 2. Choose to scan only files listed in the 'dangerous file types' list. And then have only one extension listed namely '*'. Deciding to rely on extensions seems an indication of a flawed design allready. Renaming files is a common practice and can be done by anyone capable of operating a keyboard. The problem is that anything with the MIME type set to TEXT/HTML will not be scanned regardless of the options recommended above. A simple test was capable of pointing this out. Setup a default Apache server. Copy a virusfile to two location being http://website/test1.txt and http://website/test1.html and try to download them with your favorite browser. The URL is unique and was never used by your browser to minimize the possibilities of caches being in place. But forced reloads work properly and are sufficiant if you want to replicate this issue. Downloading http://website/test1.html dows nothing to detect the virus and it is yours. No protection is offered. Downloading http://website/test1.txt will not work as ESPG will now intercept the file contain the virus. By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test with http://website/test2.txt and http://website/test2.html to verify things. Downloading http://website/test2.txt will get you infected as ESPG will not scan the file. And downloading http://website/test2.html will not work as ESPG detects the virus and will prevent it from downloading. CONCLUSION ---------- Esafe Protect Gateway can at present not be trusted to protect you from downloading a virus. VERSIONS -------- Esafe Protect Gateway v2.1 build 98. Virus tables dated March 15, 2000. STATUS ------ Manufacturer notified. No fix available. Results have not been confirmed yet. However I was able to verify that the problem lies with Esafe and not with Check Point by using Trend Micro's CVP server instead which did not suffer from the same problem. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Use of any of my email addresses for unsollicited (commercial) email is a clear intrusion of my privacy and illegal!
Current thread:
- [ANNOUNCE] strace for NT, (continued)
- [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
- Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
- ICQ remote DoS Philip Stoev (Mar 10)
- TESO advisory -- atsadc krahmer () CS UNI-POTSDAM DE (Mar 11)
- Re: [ Hackerslab bug_paper ] Linux printtool get printer passwor Brian Knotts (Mar 13)
- Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Jason Lutz (Mar 09)
- Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
- SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)
- Re: PGP Signatures security BUG! Will Price (Mar 20)
- Esafe Protect Gateway (CVP) does not scan virus under some conditions Hugo.van.der.Kooij () CAIW NL (Mar 21)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions Alon Rotem (Mar 24)
- Security bug in Apache project: Jakarta Tomcat Jan Madsen (Mar 21)
- [TL-Security-Announce] nmh-1.0.2 and earlier TLSA200008-1 Katie Moussouris (Mar 21)
- New Solaris Vulnerability Calculator, Sun Mailing list, and Sun Focus area from SecurityFocus.com Jeremy Rauch (Mar 13)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
- Re: PGP Signatures security BUG! Povl H. Pedersen (Mar 09)
- Re: PGP Signatures security BUG! Salzman, Noah (Mar 08)
- Re: PGP Signatures security BUG! Steven M. Bellovin (Mar 08)