Bugtraq mailing list archives
Re: eSafe: Could this be exploited?
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 26 Jul 2004 22:26:39 +0200 (CEST)
On Mon, 26 Jul 2004, MegaHz wrote:
I have tested it out, and esafe blocked the hole email that contains the eicar virus. Of course I have configure esafe to block virus infected emails instead of modifying them and removing the virus.
SMTP (or SMTP via CVP) is handled as a store and forward mechanisme. Hence the 80% rule does not apply. The issue was seen with both v3.5 in CVP mode as well as v4 in bridging mode. No further labtest were done to see if a full live EICAR version could be passed along. If someone is able to create a test executable based on the EICAR string the point might be proven. Unfortunatly I am not a programmer and lack window compiler tools all together. But if someone thinks (s)he can create a sample binary that may run when the last bit is shot to pieces and still contain a valid EICAR definition to show to the screen the issue might be proven. Putting it on a webserver and posting the URL would allow anyone who wants to to verify the issue themselves. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
Current thread:
- eSafe: Could this be exploited? Hugo van der Kooij (Jul 23)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 24)
- Re: eSafe: Could this be exploited? Oliver () greyhat de (Jul 24)
- Re: eSafe: Could this be exploited? 3APA3A (Jul 24)
- Re: eSafe: Could this be exploited? Andreas Constantinides (MegaHz) (Jul 26)
- Re: eSafe: Could this be exploited? MegaHz (Jul 26)
- Re: eSafe: Could this be exploited? Hugo van der Kooij (Jul 27)
- Re: eSafe: Could this be exploited? Kev Ford (Jul 28)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 31)