[14415] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Eric Chien)
Fri Mar 24 17:38:47 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.6.32.20000324122038.00a19ce0@mail.jps.net>
Date: Fri, 24 Mar 2000 12:20:38 +0100
Reply-To: Eric Chien <ecchien@JPS.NET>
From: Eric Chien <ecchien@JPS.NET>
X-To: Hugo.van.der.Kooij@CAIW.NL, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10003231942360.32547-100000@bastion.hugo.van
derkooij.org>
Hello,
At 08:17 PM 3/23/2000 +0100, Hugo.van.der.Kooij@CAIW.NL wrote:
>On Thu, 23 Mar 2000 alonr@eAladdin.com wrote:
>> scanned for viruses, thus creating security holes. eSafe believes that
>> relying on file extension in order to avoid threats and virus assaults is
>> highly efficient. This is definitely not due to a "flawed design". We, at
>> eSafe, believe that it is possible to achieve a high level of security and
>> privacy, while relying on the files extensions. In order to gain good
As mentioned in previous threads, Word documents do NOT require a do?
extension to spawn Word on a double-click. Word documents can have any (or
no) extension. We saw W97M.Melissa.I (I think<?>) spread around with the
extension ".i" (coincidentally).
>> It is agreed that files renaming is a common action that can be easily
>> performed by anyone who can use an alphanumeric keyboard, but If a hacker
>> sends an infected executable file masqueraded with a "TXT" or an "MPG"
>> extension, it is the user's job to get the file, save it to his local disk,
>> rename it to a valid executable, and then run it. Such a user can also
Agreed a user must purposely rename the file in the above cases. But not
in a Word document case. In addition, new 'unsafe' extensions come about
everyday. VBS, HTA, etc.
Obviously, not in eSafe's case based on this thread, and not necessarily
speaking for any particular vendor, but I believe most vendors understand
that utilizing file extensions while previously was 'good enough', it isn't
really any longer. Most products are undergoing (some already do it) file
typing based on the header. Otherwise, utilize Scan All Files. Should all
products do file typing? Yes and no. If utilizing Scan All Files doesn't
incur any more major performance hit then I'm not sure it matters. But
obviously, if they implement it, the product will probably be even faster
(then when using Scan All Files).
...Eric
