Bugtraq mailing list archives
Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: alonr () EALADDIN COM (alonr () EALADDIN COM)
Date: Thu, 23 Mar 2000 16:29:41 +0200
Dear Sir/Madam, Referring the message quoted below, initiated by Mr. Hugo van der Kooij , I would like to bring up a few points opposing the analysis of our product, eSafe Protect Gateway for CVP firewalls version 2.1 (also known as eSafe Gateway). eSafe Gateway, integrated with Checkpoint's "Firewall-1", offers a high level of reliable security and privacy, and an easy to use powerful configuration interface. eSafe Gateway's excellent security policy is obtained by a combination of a powerful virus and vandal scanning engine for files and applets, high level content security, and additional personal privacy key features. eSafe Gateway's anti-virus file security is based upon a policy by which files can either be considered "Dangerous" or "Safe". This is determined by the files extensions. This should not be a surprise to Mr. Van der Kooij, that eSafe's security policy does not have to depend on files extensions. A network administrator, worried lest malicious files should enter his network due to a scenario described hereinafter, has an option to scan files regardless of their extensions. Such a solution would usually be redundant, and cost in network performance, which is often considered valuable. The procedure by which such a configuration is set up is described by Mr. Van der Kooij himself. The trade off between performance and protection sufficiency is a well known issue in the world of data security. As suggested by Mr. Van der Kooij, it is possible to make files go through eSafe Gateway without being scanned for viruses, thus creating security holes. eSafe believes that relying on file extension in order to avoid threats and virus assaults is highly efficient. This is definitely not due to a "flawed design". We, at eSafe, believe that it is possible to achieve a high level of security and privacy, while relying on the files extensions. In order to gain good security, and, at the same time, good network performance, it is possible (and recommended) to avoid scanning of files that are predefined as "Safe" (or files that are not defined as "Dangerous"). It would often be redundant to scan each and every file which goes through the system. It is agreed that files renaming is a common action that can be easily performed by anyone who can use an alphanumeric keyboard, but If a hacker sends an infected executable file masqueraded with a "TXT" or an "MPG" extension, it is the user's job to get the file, save it to his local disk, rename it to a valid executable, and then run it. Such a user can also bring an infected floppy disk from home and spread a virus in the company's internal network, or format his own hard disk manually. The damage and the user's involvement in damaging the system would be more or less equivalent. Another aspect of HTTP file protection taken by eSafe is the file's header which contains extra information about the file type (Mime type). It is indeed possible make an HTTP server transfer any file with a false mime type field. Note that HTTP clients (web browsers) treat files by their mime type. Files that are transferred by a mime of "text/html" would be opened in the browser window, and not considered as an executable that should be saved to disk. In order to pass an infection in such a case, the user should once again get highly involved: Open the browser window, initiate a "Save As..." procedure manually to the local disk and run the file. Also, note that transferring files in a "text/html" mime type would usually result in a conversion of the file to ASCII format, and will be displayed in the browser window with no control characters. Therefore, even saving and running the file would fail. In conclusion, Mr. Van der Kooij has insinuated that according to eSafe there is "No fix available". The subject described above is not a bug, nor a security problem. Hence, no fix is needed. eSafe Gateway provides excellent security and safe network environments. Sincerely, Alon Rotem Software Engineer Phone: [+972 4] 8811441 e-mail: alonr () eAladdin com Listen to my music at: http://www.audiogalaxy.com/bands/alonrotem Aladdin. Securing The Global Village Ashlag 22, Haifa, Israel Tel: +972 4 872-8899 Fax: +972 4 872-9966 Visit us at our Web site! http://www.esafe.com Aladdin supports Idealist. Visit http://www.idealist.org On 23/03/2000 10:58:00 ZE2 Ronen Mor wrote:
this is a mail we received from "Misrad Haozar", which holding PO of renewal to their updates of ESG. please send your comment ASAP to oren marom. Thanks Ronen Mor Regional Manager Enterprise Security Unit Aladdin Knowledge Systems ronenm () eAladdin com Aladdin. Securing the Global Village. P.O. Box 11141, Tel Aviv 61110 Israel Tel: +972 3 636-2222; Fax: +972 3 537-5796 Visit us at our Web site! http://www.eAladdin.com Aladdin supports Idealist. Visit http://www.idealist.org ----- Forwarded by Ronen Mor/TLV/AKS on 23/03/00 10:54 ----- Oren Marom 23/03/00 10:48 To: Ronen Mor/TLV/AKS@AKS cc: Subject: ESPG Regards, Oren Marom Account Manager Enterprise Security Unit Aladdin Knowledge Systems LTD Tel: 03-6362316, Cellular: 053-603555 E-mail: orenm () eAladdin com Fax :03-6362318 Aladdin. Securing the Global Village. P.O. Box 11141, Tel Aviv 61110 Israel Tel: +972 3 636-2222; Fax: +972 3 537-5796 Visit us at our Web site! http://www.eAladdin.com Aladdin supports Idealist. Visit http://www.idealist.org ----- Forwarded by Oren Marom/TLV/AKS on 03/23/00 10:47 AM ----- boaz () mof gov il 03/23/00 10:43 AM To: orenm () aks com cc: Subject: ESPG --------------------------- 23/03/2000 10:37 -á áåòæ ãåìá/îàåø/àåöø ðùìç
òì-éãé
----------------------
Doron Shikmoni <doron () isoc org il> - 22/03/2000 20:18:05 boaz, eddie () sela co il, yuval, ponga
:ì
:òåú÷éí
[Fwd: Esafe Protect Gateway (CVP) does not scan virus under
someconditions]
:ðåùà
-------- Original Message -------- Date: Tue, 21 Mar 2000 09:24:35 +0100 From: Hugo.van.der.Kooij () CAIW NL Subject: Esafe Protect Gateway (CVP) does not scan virus under some To: BUGTRAQ () SECURITYFOCUS COM Hi, After notification of the manufacturer here is the full report on a problem noted with Esafe Protect Gateway. SUMMARY ------- The Esafe Protect Gateway (ESPG) does not scan some files in combination with FireWall-1 and CVP. DETAILS ------- If you want the Esafe Protect Gateway to scan all content for the presence of a virus you have two options. 1. Choose to scan anything not listed in the 'safe file types' list. And then clear out all entries in that list. 2. Choose to scan only files listed in the 'dangerous file types' list. And then have only one extension listed namely '*'. Deciding to rely on extensions seems an indication of a flawed design allready. Renaming files is a common practice and can be done by anyone capable of operating a keyboard. The problem is that anything with the MIME type set to TEXT/HTML will not be scanned regardless of the options recommended above. A simple test was capable of pointing this out. Setup a default Apache server. Copy a virusfile to two location being http://website/test1.txt and http://website/test1.html and try to download them with your favorite browser. The URL is unique and was never used by your browser to minimize the possibilities of caches being in place. But forced reloads work properly and are sufficiant if you want to replicate this issue. Downloading http://website/test1.html dows nothing to detect the virus and it is yours. No protection is offered. Downloading http://website/test1.txt will not work as ESPG will now intercept the file contain the virus. By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test with http://website/test2.txt and http://website/test2.html to verify things. Downloading http://website/test2.txt will get you infected as ESPG will not scan the file. And downloading http://website/test2.html will not work as ESPG detects the virus and will prevent it from downloading. CONCLUSION ---------- Esafe Protect Gateway can at present not be trusted to protect you from downloading a virus. VERSIONS -------- Esafe Protect Gateway v2.1 build 98. Virus tables dated March 15, 2000. STATUS ------ Manufacturer notified. No fix available. Results have not been confirmed yet. However I was able to verify that the problem lies with Esafe and not with Check Point by using Trend Micro's CVP server instead which did not suffer from the same problem. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Use of any of my email addresses for unsollicited (commercial) email is a clear intrusion of my privacy and illegal! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Yehavi Bourvine (4X6DD), Phone: +972-2-6585684 H Computation Center, Emergency: +972-50-975544 H The Hebrew University of Jerusalem, H Givat-Ram, 91904 Jerusalem, Israel H H H Fax: +972-2-6527349 HH H H H Email: YEHAVI () VMS HUJI AC IL H URL: http://www.huji.ac.il/ H =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Re: Esafe Protect Gateway (CVP) does not scan virus under some alonr () EALADDIN COM (Mar 23)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 23)
- <Possible follow-ups>
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Smith, Eric V. (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Eric Chien (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Jason Brvenik (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Lea, Michael (Mar 24)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
(Thread continues...)