Bugtraq mailing list archives
Re: NAI WebShield SMTP does not scan base64 encoding
From: chris.paget () ANALYSYS COM (chris.paget () ANALYSYS COM)
Date: Thu, 22 Jun 2000 22:32:57 GMT
Sorry to harp on about this, but I think my point has been missed. MS-TNEF is ***NOT*** being used! I'm sending the messages from a mail client called Agent, from Forte inc. AFAIK, the only product that uses MS-TNEF is Outlook - which is not being used. The actual viruses are being picked up. The problem is that I wish to block ALL scriptable files, so that in the time between a virus outbreak and an updated DAT being released, my network is not at risk. I have the WebShield server set up to automatically bounce any message with a VBScript attachment - regardless of whether or not it contains a known virus. When the attached file is 8-bit encoded, this is happening correctly; when the file is base64 encoded, the VBS file is passed by the attachment filters, which should be bouncing it. So, my cunning plan of protecting the network while NAI are working on a DAT fails - the virus can get through anyway. I appreciate the messages about MS-TNEF, but it's really not the problem here. Virus detection is, as far as I can tell, working correctly. It's the attachment name-matching filters that are broken when base64 encoding is used. Chris -- Chris Paget Software Engineer, Analysys LTD. chris.paget () analysys com mad.nutter () mindless com On Thu, 22 Jun 2000 14:07:41 -0700, you wrote:
This is a summary of replies to this thread. The are several tools to decode TNEF encoding: - TNEF by Mark Simpson (this code is under the GLP) http://world.std.com/~damned/software.html http://freshmeat.net/appindex/1999/10/13/939847359.html - Fentum (for Windows 95, Linux and source; watch those N's). http://www.fentun.com - LS-TENF: a Java based TNEF decoder http://www.mirrorworlds.com/tnef/lstnef.zip - The Convert::TNEF perl module by Doug Wilson; see CPAN - Another TNEF decoder from Thomas Boll <tb () boll ch> is available at http://slappy.org/listarchives/xfmail/1999-October/000273.html Information on TNEF: - TNEF Specification (MS claims its been documented in MSDN for several years) http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/mapi/apptnef_1cv3.htm - Decoding Internet Attachments (includes information on TNEF) http://pages.prodigy.net/michael_santovec/decode.htm Also, a number of SMTP-based mail scanning products scan TNEF in shipping versions. It seems the problem has been fixed in the latest version of the product. Version 4.5 with DAT version 4.0.4082 appears to work correctly. Thanks to: Lars Hecking <lhecking () nmrc ucc ie> MCKILLICAN, DONALD <donald.mckillican () bell ca> DANIEL RAMIREZ VALDEZ <dramirez () cemtec com> -DAL- <dylan () 1stup com> David Lemson <dlemson () Exchange Microsoft com> Eric Sherrill <sherrill () ti com> Jim Knoble <jmknoble () pint-stowp cx> Rainer Link <link () foo fh-furtwangen de> H D Moore <secureaustin () CONSULTANT COM> Chris Freels <CFreels () CDDB com> Chad Kitching <CKitching () powerland mb ca>
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd), (continued)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Helmethead (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
- Security Update: wu-ftpd vulnerability Technical Support (Jun 23)
- Re: NAI WebShield SMTP does not scan base64 encoding Andre Albsmeier (Jun 21)
- Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris & Linux Keith A. Watson (Jun 21)
- NetBSD Security Advisory 2000-007 security-officer () NETBSD ORG (Jun 21)
- Re: NAI WebShield SMTP does not scan base64 encoding Elias Levy (Jun 22)
- Security Bulletins Digest patrick () PINE NL (Jun 22)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 22)
- Free mail scanning tool (was Re: NAI WebShield SMTP does not scan base64 encoding) David F. Skoll (Jun 22)
- NetWin dMailWeb Denial of Service Chris Wolfe (Jun 21)
- [RHSA-2000:037-01] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 21)