Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions

[alonr () EALADDIN COM (Alon Rotem)]

Hi,
Referring the message quoted below, initiated by Mr. Hugo 
van der Kooij , I would like to bring up a few points 
opposing the analysis of our product, eSafe Protect Gateway 
for CVP firewalls version 2.1 (also known as eSafe Gateway).

eSafe Gateway, integrated with Checkpoint's "Firewall-1", 
offers a high level of reliable security and privacy, and 
an easy to use powerful configuration interface. eSafe 
Gateway's excellent security policy is obtained by a 
combination of a powerful virus and vandal scanning engine 
for files and applets, high level content security, and 
additional personal privacy key features. eSafe Gateway's 
anti-virus file security is based upon a policy by which 
files can either be considered "Dangerous" or "Safe".  This 
is determined by the files extensions.

This should not be a surprise to Mr. Van der Kooij, that 
eSafe's security policy does not have to depend on files 
extensions. A network administrator, worried lest malicious 
files should enter his network due to a scenario described 
hereinafter, has an option to scan files regardless of 
their extensions. Such a solution would usually be 
redundant, and cost in network performance, which is often 
considered valuable. The procedure by which such a 
configuration is set up is described by Mr. Van der Kooij 
himself.

The trade off between performance and protection 
sufficiency is a well known issue in the world of data 
security. As suggested by Mr. Van der Kooij, it is possible 
to make files go through eSafe Gateway without being 
scanned for viruses, thus creating security holes. eSafe 
believes that relying on file extension in order to avoid 
threats and virus assaults is highly efficient. This is 
definitely not due to a "flawed design". We, at eSafe, 
believe that it is possible to achieve a high level of 
security and privacy, while relying on the files 
extensions. In order to gain good security, and, at the 
same time, good network performance, it is possible (and 
recommended) to avoid scanning of files that are predefined 
as "Safe" (or files that are not defined as "Dangerous"). 
It would often be redundant to scan each and every file 
which goes through the system. 

It is agreed that files renaming is a common action that 
can be easily performed by anyone who can use an 
alphanumeric keyboard, but If a hacker sends an infected 
executable file masqueraded with a "TXT" or an "MPG" 
extension, it is the user's job to get the file, save it to 
his local disk, rename it to a valid executable, and then 
run it. Such a user can also bring an infected floppy disk 
from home and spread a virus in the company's internal 
network, or format his own hard disk manually. The damage 
and the user's involvement in damaging the system would be 
more or less equivalent. 

Another aspect of HTTP file protection taken by eSafe is 
the file's header which contains extra information about 
the file type (Mime type). It is indeed possible make an 
HTTP server transfer any file with a false mime type field. 
Note that HTTP clients (web browsers) treat files by their 
mime type. Files that are transferred by a mime 
of "text/html" would be opened in the browser window, and 
not considered as an executable that should be saved to 
disk. In order to pass an infection in such a case, the 
user should once again get highly involved: Open the 
browser window, initiate a "Save As..." procedure manually 
to the local disk and run the file. Also, note that 
transferring files in a "text/html" mime type would usually 
result in a conversion of the file to ASCII format, and 
will be displayed in the browser window with no control 
characters. Therefore, even saving and running the file 
would fail.

In conclusion, Mr. Van der Kooij has insinuated that 
according to eSafe there is "No fix available". The subject 
described above is not a bug, nor a security problem. 
Hence, no fix is needed. eSafe Gateway provides excellent 
security and safe network environments.

Sincerely,
     
Alon Rotem
Software Engineer

Phone: [+972 4] 8811441
e-mail: alonr () eAladdin com
Listen to my music at: 
http://www.audiogalaxy.com/bands/alonrotem

Aladdin. Securing The Global Village

Ashlag 22, Haifa, Israel
Tel:   +972 4 872-8899 Fax: +972 4 872-9966
Visit us at our Web site!  http://www.esafe.com

Aladdin supports Idealist. Visit http://www.idealist.org

Hi,
After notification of the manufacturer here is the full 
report on a
problem noted with Esafe Protect Gateway.

SUMMARY
-------

The Esafe Protect Gateway (ESPG) does not scan some files 
in combination
with FireWall-1 and CVP.

DETAILS
-------

If you want the Esafe Protect Gateway to scan all content 
for the presence
of a virus you have two options.

 1. Choose to scan anything not listed in the 'safe file 
types' list. And
    then clear out all entries in that list.

 2. Choose to scan only files listed in the 'dangerous file 
types' list.
    And then have only one extension listed namely '*'.

Deciding to rely on extensions seems an indication of a 
flawed design
allready. Renaming files is a common practice and can be 
done by anyone
capable of operating a keyboard.

The problem is that anything with the MIME type set to 
TEXT/HTML will not
be scanned regardless of the options recommended above.

A simple test was capable of pointing this out.

Setup a default Apache server. Copy a virusfile to two 
location being
http://website/test1.txt and http://website/test1.html and 
try to download
them with your favorite browser. The URL is unique and was 
never used by
your browser to minimize the possibilities of caches being 
in place. But
forced reloads work properly and are sufficiant if you want 
to replicate
this issue.

Downloading http://website/test1.html dows nothing to 
detect the virus and
it is yours. No protection is offered. Downloading
http://website/test1.txt will not work as ESPG will now 
intercept the file
contain the virus.

By adjusting the webserver to send out *.txt as MIME type 
TEXT/HTML and
*.html as MIME type TEXT/PLAIN you can now test with
http://website/test2.txt and http://website/test2.html to 
verify things.
Downloading http://website/test2.txt will get you infected 
as ESPG will
not scan the file. And downloading 
http://website/test2.html will not work
as ESPG detects the virus and will prevent it from 
downloading.

CONCLUSION
----------

Esafe Protect Gateway can at present not be trusted to 
protect you from
downloading a virus.

VERSIONS
--------

        Esafe Protect Gateway v2.1 build 98.
        Virus tables dated March 15, 2000.

STATUS
------

        Manufacturer notified.
        No fix available.
        Results have not been confirmed yet.

        However I was able to verify that the problem lies 
with Esafe and
        not with Check Point by using Trend Micro's CVP 
server instead
        which did not suffer from the same problem.

Hugo.