Full Disclosure mailing list archives
RE: Avecho Glasswall Anti virus technolog?
From: "Alex Shipp" <ashipp () messagelabs com>
Date: Tue, 23 Dec 2003 10:06:26 -0000
Just wanted to see if anyone knew anything about the company called Avecho or their flagship product "Glasswall".
I evaluated their product earlier this year, with the view of incorporating their engine into our services. However, I quickly took the view that it was not an anti-virus engine (as advertised) but a rewriting content filtering engine. What follows are my deductions from the emails I sent through, and therefore may not correctly reflect the actual behaviour of the system. Also, it may well have changed since our tests - we reported all the bugs we found, and I expect most have been fixed for a while now. The system attempted to stop all executable content from getting through. Where an attachment was just executable content, such as an EXE file, it was blocked. Where the attachment was executable+data, such as an Office document with macros, the attachment was rewritten to remove the executable content, but leave the data. So Office documents had all macros stripped. Similarly, HTML emails containing 'nasty' tags had these stripped. Sometimes the executable could not be stripped, in which case the email is stopped. For instance, this happened with HTML emails containing scripts. The rewriting also happens in other cases. For instance BMP files had spurious data at the end of the file removed. TXT documents had whitespace at the end of line removed. There was also a bug which added a blank line at the beginning of each text document, but I expect this is fixed now. Unrecognised files are blocked. So if you send unusual data files, these will be stopped. When I tested, they only recognised a few of the most common file types. For instance, they could cope with ZIP, but not RAR. However, they tell me they have added hundreds more types since we tested. Also it is fairly easy to add more types, so if you do send unusual data types, these can be added quickly. Encrypted files count as unrecognised, so sending an encrypted ZIP will also be stopped. The email itself was also rewritten, presumably to stop exploits which rely on misformed headers. Text files appeared to be statistically analysed, some random files we sent through were stopped - eg for containing a 0x7F character or not enough spaces. They tell me that the system is OK with foreign languages and signed mail, but we did not test this. Considering their claim to stop all viruses, their product has at least three potential areas we identified where it could be exploited. Firstly, they need to fully understand all file format they support. Otherwise an executable can be smuggled in without them realising. Secondly, they need to be able to be able to recognised malformed MIME. Otherwise an executable can be smuggled in without them realising. Thirdly, they need to be able to exactly identify all data files. Otherwise, an attachment of one type can be smuggled in as an attachment of another type. The first two areas can be closed by their diligence and hard work; if a hole becomes known, they can update their code. The third area is (I believe) unsolvable. Some data files are essentially free-format - eg text files, so to determine whether a 'text' file is actually execuatable becomes equivalent to solving the Halting problem (mentioned by Nick in his email) which is unsolvable. Although these flaws debunk the 'never let a virus through' claim, my judgement is that the product will still protect against the common horde of mass mailers, since these are all in common file formats, using standard MIME, and are fairly easy to identify as executable code. Where the user would be most vulnerable is to a crafted attack aiming at getting some kind of trojan or other malware into a specific organisation. So, the product was not usable by us - it would have caused a massive false positive problem, and doesn't really add anything to our offerings, but I think there is a market for it for those companies/individuals who need that particular type of content filtering. Caveat emptor: Avecho are potentially a competitor of ours, so make your own judgement on my comments. Regards, Alexs ----------------------------------------- Alex Shipp Senior Anti-Virus Technologist MessageLabs Company Registration No - 3834506 ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Avecho Glasswall Anti virus technolog? Zach Forsyth (Dec 02)
- Re: Avecho Glasswall Anti virus technolog? Charles E. Hill (Dec 02)
- Re: Avecho Glasswall Anti virus technolog? Charles E. Hill (Dec 02)
- Re: Avecho Glasswall Anti virus technolog? Cael Abal (Dec 02)
- Re: Avecho Glasswall Anti virus technolog? Nick FitzGerald (Dec 02)
- <Possible follow-ups>
- RE: Avecho Glasswall Anti virus technolog? Dowling, Gabrielle (Dec 02)
- RE: Avecho Glasswall Anti virus technolog? Alex Shipp (Dec 23)