Re: Esafe Protect Gateway (CVP) does not scan virus under some

[alonr () EALADDIN COM (alonr () EALADDIN COM)]

Dear Sir/Madam,

Referring the message quoted below, initiated by Mr. Hugo van der Kooij , I
would like to bring up a few points opposing the analysis of our product,
eSafe Protect Gateway for CVP firewalls version 2.1 (also known as eSafe
Gateway).

eSafe Gateway, integrated with Checkpoint's "Firewall-1", offers a high
level of reliable security and privacy, and an easy to use powerful
configuration interface. eSafe Gateway's excellent security policy is
obtained by a combination of a powerful virus and vandal scanning engine
for files and applets, high level content security, and additional personal
privacy key features. eSafe Gateway's anti-virus file security is based
upon a policy by which files can either be considered "Dangerous" or
"Safe".  This is determined by the files extensions.

This should not be a surprise to Mr. Van der Kooij, that eSafe's security
policy does not have to depend on files extensions. A network
administrator, worried lest malicious files should enter his network due to
a scenario described hereinafter, has an option to scan files regardless of
their extensions. Such a solution would usually be redundant, and cost in
network performance, which is often considered valuable. The procedure by
which such a configuration is set up is described by Mr. Van der Kooij
himself.

The trade off between performance and protection sufficiency is a well
known issue in the world of data security. As suggested by Mr. Van der
Kooij, it is possible to make files go through eSafe Gateway without being
scanned for viruses, thus creating security holes. eSafe believes that
relying on file extension in order to avoid threats and virus assaults is
highly efficient. This is definitely not due to a "flawed design". We, at
eSafe, believe that it is possible to achieve a high level of security and
privacy, while relying on the files extensions. In order to gain good
security, and, at the same time, good network performance, it is possible
(and recommended) to avoid scanning of files that are predefined as "Safe"
(or files that are not defined as "Dangerous"). It would often be redundant
to scan each and every file which goes through the system.

It is agreed that files renaming is a common action that can be easily
performed by anyone who can use an alphanumeric keyboard, but If a hacker
sends an infected executable file masqueraded with a "TXT" or an "MPG"
extension, it is the user's job to get the file, save it to his local disk,
rename it to a valid executable, and then run it. Such a user can also
bring an infected floppy disk from home and spread a virus in the company's
internal network, or format his own hard disk manually. The damage and the
user's involvement in damaging the system would be more or less equivalent.

Another aspect of HTTP file protection taken by eSafe is the file's header
which contains extra information about the file type (Mime type). It is
indeed possible make an HTTP server transfer any file with a false mime
type field. Note that HTTP clients (web browsers) treat files by their mime
type. Files that are transferred by a mime of "text/html" would be opened
in the browser window, and not considered as an executable that should be
saved to disk. In order to pass an infection in such a case, the user
should once again get highly involved: Open the browser window, initiate a
"Save As..." procedure manually to the local disk and run the file. Also,
note that transferring files in a "text/html" mime type would usually
result in a conversion of the file to ASCII format, and will be displayed
in the browser window with no control characters. Therefore, even saving
and running the file would fail.

In conclusion, Mr. Van der Kooij has insinuated that according to eSafe
there is "No fix available". The subject described above is not a bug, nor
a security problem. Hence, no fix is needed. eSafe Gateway provides
excellent security and safe network environments.


Sincerely,

Alon Rotem
Software Engineer

Phone: [+972 4] 8811441
e-mail: alonr () eAladdin com
Listen to my music at:
http://www.audiogalaxy.com/bands/alonrotem

Aladdin. Securing The Global Village

Ashlag 22, Haifa, Israel
Tel:   +972 4 872-8899 Fax: +972 4 872-9966
Visit us at our Web site!  http://www.esafe.com

Aladdin supports Idealist. Visit http://www.idealist.org


On 23/03/2000 10:58:00 ZE2 Ronen Mor wrote:
> this is a mail we received from "Misrad Haozar", which holding PO
> of renewal to their updates of ESG.
> please send your comment ASAP to oren marom.
>
> Thanks
>
>
> Ronen Mor
>
> Regional Manager
> Enterprise Security Unit
> Aladdin Knowledge Systems
> ronenm () eAladdin com
>
> Aladdin. Securing the Global Village.
> P.O. Box 11141,  Tel Aviv 61110 Israel
> Tel:   +972 3 636-2222; Fax: +972 3 537-5796
> Visit us at our Web site!  http://www.eAladdin.com
>
> Aladdin supports Idealist. Visit http://www.idealist.org
>
>
> ----- Forwarded by Ronen Mor/TLV/AKS on 23/03/00 10:54 -----
>
>    Oren Marom
>    23/03/00 10:48
>
>          To: Ronen Mor/TLV/AKS@AKS
>          cc:
>          Subject: ESPG
>
> Regards,
>
>                           Oren Marom
>                       Account Manager
>
>                    Enterprise Security Unit
>             Aladdin Knowledge Systems LTD
>
>          Tel: 03-6362316, Cellular: 053-603555
>                 E-mail: orenm () eAladdin com
>                           Fax :03-6362318
>
>
> Aladdin. Securing the Global Village.
> P.O. Box 11141,  Tel Aviv 61110 Israel
> Tel:   +972 3 636-2222; Fax: +972 3 537-5796
> Visit us at our Web site!  http://www.eAladdin.com
>
> Aladdin supports Idealist. Visit http://www.idealist.org
>
>
> ----- Forwarded by Oren Marom/TLV/AKS on 03/23/00 10:47 AM -----
>
>    boaz () mof gov il
>    03/23/00 10:43 AM
>
>          To: orenm () aks com
>          cc:
>          Subject: ESPG
>
>
>
>
> --------------------------- 23/03/2000 10:37 -á áåòæ ãåìá/îàåø/àåöø ðùìç
òì-éãé
>
----------------------
> Doron Shikmoni <doron () isoc org il> - 22/03/2000 20:18:05
>
>           boaz, eddie () sela co il, yuval, ponga
:ì
>
:òåú÷éí
>    [Fwd: Esafe Protect Gateway (CVP) does not scan virus under
someconditions]
>
:ðåùà
> -------- Original Message --------
>
> Date:         Tue, 21 Mar 2000 09:24:35 +0100
> From: Hugo.van.der.Kooij () CAIW NL
> Subject:      Esafe Protect Gateway (CVP) does not scan virus under some
> To: BUGTRAQ () SECURITYFOCUS COM
>
> Hi,
> After notification of the manufacturer here is the full report on a
> problem noted with Esafe Protect Gateway.
>
> SUMMARY
> -------
>
> The Esafe Protect Gateway (ESPG) does not scan some files in combination
> with FireWall-1 and CVP.
>
> DETAILS
> -------
>
> If you want the Esafe Protect Gateway to scan all content for the presence
> of a virus you have two options.
>
> 1. Choose to scan anything not listed in the 'safe file types' list. And
>    then clear out all entries in that list.
>
> 2. Choose to scan only files listed in the 'dangerous file types' list.
>    And then have only one extension listed namely '*'.
>
> Deciding to rely on extensions seems an indication of a flawed design
> allready. Renaming files is a common practice and can be done by anyone
> capable of operating a keyboard.
>
> The problem is that anything with the MIME type set to TEXT/HTML will not
> be scanned regardless of the options recommended above.
>
> A simple test was capable of pointing this out.
>
> Setup a default Apache server. Copy a virusfile to two location being
> http://website/test1.txt and http://website/test1.html and try to download
> them with your favorite browser. The URL is unique and was never used by
> your browser to minimize the possibilities of caches being in place. But
> forced reloads work properly and are sufficiant if you want to replicate
> this issue.
>
> Downloading http://website/test1.html dows nothing to detect the virus and
> it is yours. No protection is offered. Downloading
> http://website/test1.txt will not work as ESPG will now intercept the file
> contain the virus.
>
> By adjusting the webserver to send out *.txt as MIME type TEXT/HTML and
> *.html as MIME type TEXT/PLAIN you can now test with
> http://website/test2.txt and http://website/test2.html to verify things.
> Downloading http://website/test2.txt will get you infected as ESPG will
> not scan the file. And downloading http://website/test2.html will not work
> as ESPG detects the virus and will prevent it from downloading.
>
> CONCLUSION
> ----------
>
> Esafe Protect Gateway can at present not be trusted to protect you from
> downloading a virus.
>
> VERSIONS
> --------
>
>     Esafe Protect Gateway v2.1 build 98.
>     Virus tables dated March 15, 2000.
>
> STATUS
> ------
>
>     Manufacturer notified.
>     No fix available.
>     Results have not been confirmed yet.
>
>     However I was able to verify that the problem lies with Esafe and
>     not with Check Point by using Trend Micro's CVP server instead
>     which did not suffer from the same problem.
>
>
> Hugo.
>
>
>
> --
> Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
> hvdkooij () caiw nl    http://home.kabelfoon.nl/~hvdkooij/
> --------------------------------------------------------------
> Use of any of my email addresses for unsollicited (commercial)
>    email is a clear intrusion of my privacy and illegal!
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Yehavi Bourvine (4X6DD),                Phone:  +972-2-6585684     H
> Computation Center,                 Emergency:  +972-50-975544     H
> The Hebrew University of Jerusalem,                                H
> Givat-Ram,  91904 Jerusalem,  Israel                               H H H
>                                           Fax: +972-2-6527349     HH H
>                                                                   H   H
> Email:   YEHAVI () VMS HUJI AC IL                                    H
> URL:     http://www.huji.ac.il/                                  H
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=