Re: NAI WebShield SMTP does not scan base64 encoding

[chris.paget () ANALYSYS COM (chris.paget () ANALYSYS COM)]

Sorry to harp on about this, but I think my point has been missed.

MS-TNEF is ***NOT*** being used!

I'm sending the messages from a mail client called Agent, from Forte
inc.  AFAIK, the only product that uses MS-TNEF is Outlook - which is
not being used.

The actual viruses are being picked up.  The problem is that I wish to
block ALL scriptable files, so that in the time between a virus
outbreak and an updated DAT being released, my network is not at risk.

I have the WebShield server set up to automatically bounce any message
with a VBScript attachment - regardless of whether or not it contains
a known virus.  When the attached file is 8-bit encoded, this is
happening correctly; when the file is base64 encoded, the VBS file is
passed by the attachment filters, which should be bouncing it.  So, my
cunning plan of protecting the network while NAI are working on a DAT
fails - the virus can get through anyway.

I appreciate the messages about MS-TNEF, but it's really not the
problem here.  Virus detection is, as far as I can tell, working
correctly.  It's the attachment name-matching filters that are broken
when base64 encoding is used.

Chris

-- 
Chris Paget
Software Engineer, Analysys LTD.

chris.paget () analysys com
mad.nutter () mindless com

On Thu, 22 Jun 2000 14:07:41 -0700, you wrote:

> This is a summary of replies to this thread.
>
> The are several tools to decode TNEF encoding:
>
> - TNEF by Mark Simpson
>  (this code is under the GLP)
>  http://world.std.com/~damned/software.html
>  http://freshmeat.net/appindex/1999/10/13/939847359.html
>
> - Fentum (for Windows 95, Linux and source; watch those N's).
>  http://www.fentun.com
>
> - LS-TENF: a Java based TNEF decoder
>  http://www.mirrorworlds.com/tnef/lstnef.zip
>
> - The Convert::TNEF perl module by Doug Wilson; see CPAN
>
> - Another TNEF decoder from Thomas Boll <tb () boll ch> is available at
>  http://slappy.org/listarchives/xfmail/1999-October/000273.html
>
> Information on TNEF:
>
> - TNEF Specification
>  (MS claims its been documented in MSDN for several years)
>  http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/mapi/apptnef_1cv3.htm
>
> - Decoding Internet Attachments
>  (includes information on TNEF)
>  http://pages.prodigy.net/michael_santovec/decode.htm
>
> Also, a number of SMTP-based mail scanning products scan TNEF in shipping
> versions.
>
> It seems the problem has been fixed in the latest version of the product.
> Version 4.5 with DAT version 4.0.4082 appears to work correctly.
>
> Thanks to:
>
> Lars Hecking <lhecking () nmrc ucc ie>
> MCKILLICAN, DONALD <donald.mckillican () bell ca>
> DANIEL RAMIREZ VALDEZ <dramirez () cemtec com>
> -DAL- <dylan () 1stup com>
> David Lemson <dlemson () Exchange Microsoft com>
> Eric Sherrill <sherrill () ti com>
> Jim Knoble <jmknoble () pint-stowp cx>
> Rainer Link <link () foo fh-furtwangen de>
> H D Moore <secureaustin () CONSULTANT COM>
> Chris Freels <CFreels () CDDB com>
> Chad Kitching <CKitching () powerland mb ca>