Bugtraq mailing list archives
Re: Aladdin response regarding eSafe
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 28 Jul 2004 21:45:03 +0400
Dear Ofer Elzam, Of cause, this approach makes no problems in catching, for example, known ITW worms as executables or archives. Problems begin if you're trying to catch, lets say sites with Internet Explorer trojans. Remember Scob? Imagine what happens if Scob added to a page as a header instead of a footer. 80% and even 5% of the page have a good chance to contain fully working version of Scob before connection is terminated by filter. I know this problem it not eSafe specific. In fact, I don't know antiviral engine capable to catch signature in the stream of data immediately after signature is arrived in the stream. All antiviral engines I tested (KAV, ClamAV and others) are file-oriented. It makes it impossible to code good antiviral protection for proxy server with this engines. --Wednesday, July 28, 2004, 7:52:14 PM, you wrote to bugtraq () securityfocus com: OE> In-Reply-To: <18610004519.20040724152743 () SECURITY NNOV RU> OE> eSafe Gateway uses a default value of 80% file download before OE> first inspection of executable files from HTTP servers. This value OE> can be changed to as low as 5% if desired. OE> We feel that the 80% gives a good balance between user OE> experience and security needs. Customers would usually want to see a OE> fast moving download progress bar. If we set the value to 5% - the OE> progress bar will move just a little bit (5%) when downloading and OE> the remaining 95% very fast as eSafe finishes the inspection. This OE> annoys users. OE> If antiviral filter checks data _after_ all data received from client OE> with 20% buffering yes, it's possible to bypass this check for HTTP, OE> because there is no way (at least for HTTP/1.0 and FTP) to indicate OE> error to client and make him to delete partially downloaded data. -- ~/ZARAZA Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)
Current thread:
- Aladdin response regarding eSafe Ofer Elzam (Jul 28)
- Re: Aladdin response regarding eSafe 3APA3A (Jul 30)
- Re: Aladdin response regarding eSafe Aleksandar Milivojevic (Jul 30)
- Re: Aladdin response regarding eSafe 3APA3A (Jul 30)