Bugtraq mailing list archives
eSafe: Could this be exploited?
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Fri, 23 Jul 2004 20:21:22 +0200 (CEST)
Hi, I had a bit of a chat with Aladdin support regarding the odd results I had with their network virusscanner (aka: eSafe). (see also: http://www.ealaddin.com/esafe/default.asp) Both as NitroEngine or CVP server they will push as much of 80% to the end-user before they stop a virus. Then they rely on the adding of the exact URL so that URL can be blocked in all next requests. If it is a first time hit you can get as much as 80% of the payload on your machine and while they may reset the tcp stream at least IE does store the 80% chunk as if the file was transfered correctly. (This part I tested with over 30 different virus files.) First off this is extremely confusing to the user who just thinks (s)he just had a virus passing their scanner. (And they are about 80% right.) Then the chunk may contain enough to trigger another scanner which may reside on the desktop of said user adding further to the belief this is not a good product. But what if I were to write a really small harmfull virus (say less then 2 ethernet packets)? Or create it in such way that the last 20 to 25% is expendible without loosing it's sting? Is someone able to verify such a virus may work? (I am not a programmer so I can think of the potential breach but I can't verify it is exploitable.) I have a felling it is just a matter of time before such a scanner will be bypassed. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
Current thread:
- eSafe: Could this be exploited? Hugo van der Kooij (Jul 23)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 24)
- Re: eSafe: Could this be exploited? Oliver () greyhat de (Jul 24)
- Re: eSafe: Could this be exploited? 3APA3A (Jul 24)
- Re: eSafe: Could this be exploited? Andreas Constantinides (MegaHz) (Jul 26)
- Re: eSafe: Could this be exploited? MegaHz (Jul 26)
- Re: eSafe: Could this be exploited? Hugo van der Kooij (Jul 27)
- Re: eSafe: Could this be exploited? Kev Ford (Jul 28)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 31)