Bugtraq mailing list archives
Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: alonr () EALADDIN COM (Alon Rotem)
Date: Sun, 26 Mar 2000 14:57:11 +0200
Hi, Please let me correct you: attachments for emails that are sent in an HTML format (i.e. in "text/html") are scanned according to your eSafe Gateway policy rules. Thus, your predicted scenario will fail. Sincerely, Alon Rotem On 24/03/2000 16:17:52 CST "Lea, Michael" wrote:
Alon Rotem wrote:As I wrote in my reply , if you are afraid of such incidents, you may configure eSafe Gateway scan each and every file, regardless of their extension. Of course this will have an effect on your network
performance,
since the majority of files going though the net are not harmful. A worried administrator can implement this alternative configurationwithinseconds. There is no 100% security, but eSafe Gateway offers a very
good,
very reliable, solution for any network administrator.If it was as simple as setting eSafe to scan all file extensions, I don't think anybody would have a problem. But what some people seem to be
missing
here is the second part of Hugo's message: Hugo van der Kooij wrote:The problem is that anything with the MIME type set to TEXT/HTML will
not
be scanned regardless of the options recommended above.Even if the eSafe Gateway is configured to check all file-types, it still passes through files with a MIME type of text/html, regardless of
extension.
There doesn't seem to be a way of turning this off and scanning all MIME types. People also seem to be missing the fact that this affects not only HTTP traffic, but also e-mail messages. Here's an easy illustration, that doesn't require any abnormal
intervention
on the part of the "victim". An attacker sends a document infected with
his
favorite macro virus to his victim in an e-mail message. The attachment
is
identified with a MIME type of text/html, so the eSafe Gateway passes it through unchallenged. The victim double-clicks on the attachment and the mail client opens the document in the appropriate program, possibly
without
any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents ... others?). Voila! You've just infected your first victim. At a bare minimum, the eSafe Gateway should give the option of scanning
all
files, regardless of MIME type. Ideally, it would also have the option of examining the CONTENT of the file to determine whether or not it is worth scanning. Using "magic numbers" to identify files is nothing new. Unix people can take a look at the "file" which has been using this concept to identify file types almost since the beginning of time. I hope everybody's got current anti-virus signatures on their
workstations.
:-( Michael Lea Information Security Manitoba Public Insurance Phone: (204) 985-8224
Current thread:
- Security Problems with Linux 2.2.x IP Masquerading, (continued)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
- privacy problems with HTTP cache-control Martin Pool (Mar 28)
- Objectserver vulnerability Howard M. Kash III (Mar 29)
- Citrix ICA Basic Encryption Dug Song (Mar 29)
- Re: Citrix ICA Basic Encryption Weld Pond (Mar 28)
- Re: Citrix ICA Basic Encryption Chris Knight (Mar 29)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Re: Security Problems with Linux 2.2.x IP Masquerading Olaf Kirch (Mar 30)
- Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability Ussr Labs (Mar 30)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Ian Turner (Mar 27)