[14404] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Hugo.van.der.Kooij@CAIW.NL)
Fri Mar 24 03:19:18 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10003231942360.32547-100000@bastion.hugo.vanderkooij.org>
Date: Thu, 23 Mar 2000 20:17:33 +0100
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: Hugo.van.der.Kooij@CAIW.NL
X-To: alonr@eAladdin.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <OF1C83D2F8.5F672B72-ON422568AB.004E1FFC@aladdin.co.il>
On Thu, 23 Mar 2000 alonr@eAladdin.com wrote:
> The trade off between performance and protection sufficiency is a well
> known issue in the world of data security. As suggested by Mr. Van der
> Kooij, it is possible to make files go through eSafe Gateway without being
> scanned for viruses, thus creating security holes. eSafe believes that
> relying on file extension in order to avoid threats and virus assaults is
> highly efficient. This is definitely not due to a "flawed design". We, at
> eSafe, believe that it is possible to achieve a high level of security and
> privacy, while relying on the files extensions. In order to gain good
> security, and, at the same time, good network performance, it is possible
> (and recommended) to avoid scanning of files that are predefined as "Safe"
> (or files that are not defined as "Dangerous"). It would often be redundant
> to scan each and every file which goes through the system.
The fact that ESP does not allow a security officer to make a company
strategy but forces a strategy upon it's customers is dangerous and for
some clients unacceptable.
> It is agreed that files renaming is a common action that can be easily
> performed by anyone who can use an alphanumeric keyboard, but If a hacker
> sends an infected executable file masqueraded with a "TXT" or an "MPG"
> extension, it is the user's job to get the file, save it to his local disk,
> rename it to a valid executable, and then run it. Such a user can also
> bring an infected floppy disk from home and spread a virus in the company's
> internal network, or format his own hard disk manually. The damage and the
> user's involvement in damaging the system would be more or less equivalent.
Using a system without floppy drives and using an operating systems that
does not allow users to do such harmfull activities is a path chosen by
some companies.
Telling someone they should not put a lock on the frontdoor because they
may have an open backdoor is a poor excuse for a locksmit that was ordered
to secure the frontdoor.
> In conclusion, Mr. Van der Kooij has insinuated that according to eSafe
> there is "No fix available". The subject described above is not a bug, nor
> a security problem. Hence, no fix is needed. eSafe Gateway provides
> excellent security and safe network environments.
Unfortunatlyy your Dutch office does not concur nor does your development
centre. The Dutch office informed me the issue is no know by the ID:
DR/047 and being handled by the development crew.
The overal message you are sending is that we should be confident that any
file passed through uninspected can't be harmfull in any way. However my
customers don't agree and find this unacceptable and so do I.
The purpose of the BugTraq mailinglist is to inform people of known
problems and if possible to solutions or at least of workarounds.
Unfortunatly there is no usable workaround.
My customers don't just expect that they will not be harmed by a virus but
that a maximum effort is done to prevent any harmfull activities. At
present ESP does not live up to that expectation because someone made a
choice that they find an unacceptable security breach.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
email is a clear intrusion of my privacy and illegal!
