[14429] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Hugo.van.der.Kooij@CAIW.NL)
Tue Mar 28 01:09:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10003242307110.5492-100000@bastion.hugo.vanderkooij.org>
Date: Fri, 24 Mar 2000 23:17:17 +0100
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: Hugo.van.der.Kooij@CAIW.NL
X-To: alonr@eAladdin.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <OFBBC65135.0F598D65-ON422568AC.00318494@aladdin.co.il>
On Fri, 24 Mar 2000 alonr@eAladdin.com wrote:
> >On Thu, 23 Mar 2000 alonr@eAladdin.com wrote:
> >
> >> The trade off between performance and protection sufficiency is a well
> >> known issue in the world of data security. As suggested by Mr. Van der
> >> Kooij, it is possible to make files go through eSafe Gateway without
> being
> >> scanned for viruses, thus creating security holes. eSafe believes that
> >> relying on file extension in order to avoid threats and virus assaults
> is
> >> highly efficient. This is definitely not due to a "flawed design". We,
> at
> >> eSafe, believe that it is possible to achieve a high level of security
> and
> >> privacy, while relying on the files extensions. In order to gain good
> >> security, and, at the same time, good network performance, it is
> possible
> >> (and recommended) to avoid scanning of files that are predefined as
> "Safe"
> >> (or files that are not defined as "Dangerous"). It would often be
> redundant
> >> to scan each and every file which goes through the system.
> >
> >The fact that ESP does not allow a security officer to make a company
> >strategy but forces a strategy upon it's customers is dangerous and for
> >some clients unacceptable.
>
> You may have overlooked the paragraph prior to that one: It is possible to
> inspect each and every file on the system. eSafe Gateway allows any system
> administrator implement any company security policy. Again, we believe that
> cutting down the number of files which are defined as dangerous is an
> optimal balance, but a worried administrator can avoid that policy and
> suspect any file regardless of its extension.
The lab tests performed by my client and duplicated in my own lab have
proven that any file using the MIME header TEXT/HTML is passed without
verificationi regardless of the extension. We used all settings as
advocated by your Dutch office to stop and scan ALL files.
Using another vendor's CVP server I was able to verify the issue was not a
FireWall-1 problem but in fact that of the ESPG CVP server. Trend Micro
did find the virus in both TEXT/PLAIN and TEXT/HTML MIME types.
I suggest you try the case with HTTP resources on a FireWall-1 v4.0 SP4
installed on a Nokia IP-440 with IPSO v3.2.0 to duplicate the test before
claiming to be bugfree.
I also suggest you verify things with the Dutch office where I did report
the issue some time ago.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
email is a clear intrusion of my privacy and illegal!
