Bugtraq mailing list archives
Re: NAI WebShield SMTP does not scan base64 encoding
From: chris.paget () ANALYSYS COM (chris.paget () ANALYSYS COM)
Date: Tue, 20 Jun 2000 18:52:28 GMT
MS-TNEF is not used at any point in the process; neither is Outlook, nor Rich Text. The messages are plain text (a renamed copy of my autoexec.bat) being sent using Forte Agent - nothing Microsoft. The MIME types I have tried include application/octet-stream and text/plain - in neither case is the VBS / SHS file blocked. The only difference that I can see between this setup and another machine using Outlook (from which messages get blocked) is the encoding type - base64 instead of 8bit. If the attachment is indeed a known virus, it appears to be detected and cleaned; however, I am trying to block ALL potentially malicious attachments, and base64 encoding appears to circumvent those checks. Chris -- Chris Paget Software Engineer, Analysys LTD. chris.paget () analysys com mad.nutter () mindless com On Tue, 20 Jun 2000 14:37:46 -0400, you wrote:
Chris, This problem is not caused by base64 encoding. It is caused by the message being encoded in MS-TNEF (Microsoft Transport Neutral Encapsulation Format.) and then getting base64 encoded. MS-TNEF is used when Outlook sends Rich Text information over the Internet. NAI knows that this is a problem but they have been unable to fix it. Here's my message to NAI and their response. ------------------------------- -----Original Message----- From: Jon Sent: Tuesday, May 09, 2000 7:55 PM To: Fronck, Destry Subject: RE: Webshield smtp 4.03 virus gateway Destry, I talked to the Webshield guys and they said you are completely correct. Not only that but NO company can scan those files including ours. They did provide an article that may be of help to you. <<WebShield_MS-TNEF.doc>> Thanks Jon -------------------------------------- Network Associates Who's watching your network? ------------------------------------- -----Original Message----- From: Fronck, Destry [mailto:DFronck () FDIC gov] Sent: Monday, May 08, 2000 7:38 AM To: Jon Cc: FDIC-CSIRT Subject: Webshield smtp 4.03 virus gateway Importance: High Jon, I have discovered a problem with the WebShield smtp 4.03 virus gateway for NT. We have had several instances of the ILOVEYOU virus getting past the virus gateway. All of these were detected by the VShield 4.03 desktop scanner. Both products are running the same dat files; 4076 and the latest extra.dat. The problem is that the gateway does not appear to scan MS-TNEF (Microsoft Transport Neutral Encapsulated Format) content. This content is typically encapsulated in MIME like so ------_=_NextPart_000_01BFB8C1.7FC25C8A Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 Can you verify this? Does WebShield 4.5 fix this? Can you verify this? Thanks, Destry Fronck ----------------------------------------------- Thanks, Destry Fronck -----Original Message----- From: chris.paget () ANALYSYS COM [mailto:chris.paget () ANALYSYS COM] Sent: Tuesday, June 20, 2000 9:08 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: NAI WebShield SMTP does not scan base64 encoding While investigating todays virus outbreak (Stages.Worm), I noticed that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50, DAT 4.0.4082, 14/06/00) was not picking up all attachments. The server is configured to block all SHS, VBS, etc attachments, and notify the sender. However, when these are sent as Base64 encoding (rather than 8-bit), they are passed by the server, and could potentially infect the network. 8-bit attachments are successfully scanned (and blocked if necessary). Chirs
Current thread:
- Re: NAI WebShield SMTP does not scan base64 encoding Fronck, Destry (Jun 20)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Juancho Forlanda (Jun 20)
- BEA WebLogic /file/ showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 20)
- Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- <Possible follow-ups>
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
- Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
- rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
- Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
- Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
- Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)