Bugtraq mailing list archives
Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: MLea () MPI MB CA (Lea, Michael)
Date: Fri, 24 Mar 2000 16:17:52 -0600
Alon Rotem wrote:
As I wrote in my reply , if you are afraid of such incidents, you may configure eSafe Gateway scan each and every file, regardless of their extension. Of course this will have an effect on your network performance, since the majority of files going though the net are not harmful. A worried administrator can implement this alternative configuration
within
seconds. There is no 100% security, but eSafe Gateway offers a very good, very reliable, solution for any network administrator.
If it was as simple as setting eSafe to scan all file extensions, I don't think anybody would have a problem. But what some people seem to be missing here is the second part of Hugo's message: Hugo van der Kooij wrote:
The problem is that anything with the MIME type set to TEXT/HTML will not be scanned regardless of the options recommended above.
Even if the eSafe Gateway is configured to check all file-types, it still passes through files with a MIME type of text/html, regardless of extension. There doesn't seem to be a way of turning this off and scanning all MIME types. People also seem to be missing the fact that this affects not only HTTP traffic, but also e-mail messages. Here's an easy illustration, that doesn't require any abnormal intervention on the part of the "victim". An attacker sends a document infected with his favorite macro virus to his victim in an e-mail message. The attachment is identified with a MIME type of text/html, so the eSafe Gateway passes it through unchallenged. The victim double-clicks on the attachment and the mail client opens the document in the appropriate program, possibly without any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents ... others?). Voila! You've just infected your first victim. At a bare minimum, the eSafe Gateway should give the option of scanning all files, regardless of MIME type. Ideally, it would also have the option of examining the CONTENT of the file to determine whether or not it is worth scanning. Using "magic numbers" to identify files is nothing new. Unix people can take a look at the "file" which has been using this concept to identify file types almost since the beginning of time. I hope everybody's got current anti-virus signatures on their workstations. :-( Michael Lea Information Security Manitoba Public Insurance Phone: (204) 985-8224
Current thread:
- Re: Esafe Protect Gateway (CVP) does not scan virus under some alonr () EALADDIN COM (Mar 23)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 23)
- <Possible follow-ups>
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Smith, Eric V. (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Eric Chien (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Jason Brvenik (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Lea, Michael (Mar 24)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
- privacy problems with HTTP cache-control Martin Pool (Mar 28)
- Objectserver vulnerability Howard M. Kash III (Mar 29)
- Citrix ICA Basic Encryption Dug Song (Mar 29)
- Re: Citrix ICA Basic Encryption Weld Pond (Mar 28)
- Re: Citrix ICA Basic Encryption Chris Knight (Mar 29)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Re: Security Problems with Linux 2.2.x IP Masquerading Olaf Kirch (Mar 30)
- Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability Ussr Labs (Mar 30)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Ian Turner (Mar 27)