Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some

From: alonr () EALADDIN COM (Alon Rotem)
Date: Sun, 26 Mar 2000 14:57:11 +0200


Hi,

Please let me correct you: attachments for emails that are sent in an HTML
format (i.e. in "text/html") are scanned according to your eSafe Gateway
policy rules. Thus, your predicted scenario will fail.

            Sincerely,
                Alon Rotem

On 24/03/2000 16:17:52 CST "Lea, Michael" wrote:


Alon Rotem wrote:

As I wrote in my reply , if you are afraid of such incidents, you may
configure eSafe Gateway scan each and every file, regardless of their
extension. Of course this will have an effect on your network

performance,

since the majority of files going though the net are not harmful.
A worried administrator can implement this alternative configuration

within

seconds. There is no 100% security, but eSafe Gateway offers a very

good,

very reliable, solution for any network administrator.


If it was as simple as setting eSafe to scan all file extensions, I don't
think anybody would have a problem.  But what some people seem to be

missing

here is the second part of Hugo's message:

Hugo van der Kooij wrote:

The problem is that anything with the MIME type set to TEXT/HTML will

not

be scanned regardless of the options recommended above.


Even if the eSafe Gateway is configured to check all file-types, it still
passes through files with a MIME type of text/html, regardless of

extension.

There doesn't seem to be a way of turning this off and scanning all MIME
types.

People also seem to be missing the fact that this affects not only HTTP
traffic, but also e-mail messages.

Here's an easy illustration, that doesn't require any abnormal

intervention

on the part of the "victim".  An attacker sends a document infected with

his

favorite macro virus to his victim in an e-mail message.  The attachment

is

identified with a MIME type of text/html, so the eSafe Gateway passes it
through unchallenged.  The victim double-clicks on the attachment and the
mail client opens the document in the appropriate program, possibly

without

any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents
... others?).  Voila!  You've just infected your first victim.

At a bare minimum, the eSafe Gateway should give the option of scanning

all

files, regardless of MIME type.  Ideally, it would also have the option of
examining the CONTENT of the file to determine whether or not it is worth
scanning.  Using "magic numbers" to identify files is nothing new.  Unix
people can take a look at the "file" which has been using this concept to
identify file types almost since the beginning of time.

I hope everybody's got current anti-virus signatures on their

workstations.

:-(

Michael Lea
Information Security
Manitoba Public Insurance
Phone: (204) 985-8224

Current thread:

Security Problems with Linux 2.2.x IP Masquerading, (continued)
- - Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
    - Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
    - privacy problems with HTTP cache-control Martin Pool (Mar 28)
    - Objectserver vulnerability Howard M. Kash III (Mar 29)
    - Citrix ICA Basic Encryption Dug Song (Mar 29)
    - Re: Citrix ICA Basic Encryption Weld Pond (Mar 28)
    - Re: Citrix ICA Basic Encryption Chris Knight (Mar 29)
    - Re: Security Problems with Linux 2.2.x IP Masquerading Olaf Kirch (Mar 30)
    - Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability Ussr Labs (Mar 30)
  - Re: Esafe Protect Gateway (CVP) does not scan virus under some Ian Turner (Mar 27)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 26)