Re: Aladdin response regarding eSafe

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Ofer Elzam,

Of  cause,  this  approach  makes  no problems in catching, for example,
known  ITW  worms  as  executables or archives. Problems begin if you're
trying to catch, lets say sites with Internet Explorer trojans. Remember
Scob?  Imagine  what happens if Scob added to a page as a header instead
of  a  footer. 80% and even 5% of the page have a good chance to contain
fully working version of Scob before connection is terminated by filter.

I  know  this  problem  it  not  eSafe  specific.  In fact, I don't know
antiviral  engine  capable  to  catch  signature  in  the stream of data
immediately  after  signature  is  arrived  in the stream. All antiviral
engines I tested (KAV, ClamAV and others) are file-oriented. It makes it
impossible  to code good antiviral protection for proxy server with this
engines.


--Wednesday, July 28, 2004, 7:52:14 PM, you wrote to bugtraq () securityfocus com:

OE> In-Reply-To: <18610004519.20040724152743 () SECURITY NNOV RU>

OE> eSafe Gateway uses a default value of 80% file download before
OE> first inspection of executable files from HTTP servers. This value
OE> can be changed to as low as 5% if desired.
OE> We feel that the 80% gives a good balance between user
OE> experience and security needs. Customers would usually want to see a
OE> fast moving download progress bar.  If we set the value to 5% - the
OE> progress bar will move just a little bit (5%) when downloading and
OE> the remaining 95% very fast as eSafe finishes the inspection.  This
OE> annoys users.


OE> If  antiviral  filter  checks data _after_ all data received from client
OE> with  20%  buffering  yes,  it's possible to bypass this check for HTTP,
OE> because  there  is  no  way  (at least for HTTP/1.0 and FTP) to indicate
OE> error to client and make him to delete partially downloaded data.

-- 
~/ZARAZA
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)