Re: PenTesting Email AntiVirus

[Muhammad Faisal Rauf Danka <mfrd () attitudex com>]

I think no matter what you do, you can never stay abreast of new viruses keep popping every now and then, even if you 
have a virus scanning email server, It's more likely that a new virus will pass through beause it's very new or maybe 
your virus signature file is not updated. 
I think one should only expect *many* virus emails to be scanned and rejected or whatever via email server, but STILL 
take great care *as usual to not to recieve and run an .exe/.com/.bat/.vbs etc. files* recieved via email.

-back to the pen-testing point, well yeah sending viruses as .ppt and as excel files is another way, but you can also 
try sending it in .tgz / .tar / .cpio / .uu (uuencoded) / .avi / .mpg formats.

This will check that whether the antivirus scans only .exe files for known virus signatures or does it check every 
attachment?

anyways , Goodluck!

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781 

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ 
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- 
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------


--- "Rainer Duffner" <rainer () ultra-secure de> wrote:
> Ilici Ramirez writes: 
>
> > Hello, 
> >
> > What ways do you know to pen-test email antivirus
> > software? 
>
> I'd try to pack various combinations of different file-formats into
> each other (OLE-container).
> E.g., if they have disabled .exe to enter or leave the LAN, try sticking
> it into an Excel or PPT-file.
> It should not work, but that's what you're supposed to find out.
> ;-)
> Of course, with webmail-over-https this is 80% pointless nowadays... 
>
>
> > A cool one that has been published before is to zip a
> > very large file that contains the same character. The
> > result, a very small file attached to an email could
> > deplete resources on the antivirus server. Do you know
> > any AV exploitable with this?
>
> It's called 42.zip and there has been a discussion about this once in a 
> while. Search the archives. 
>
>
> cheers,
> Rainer
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Rainer Duffner                   Munich
> rainer () ultra-secure de          Germany
> http://www.i-duffner.de        Freising
> ========================================
>    When shall we three meet again
>  In thunder, lightning, or in rain?
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/