[14431] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Alon Rotem)
Tue Mar 28 01:22:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <OFEA810AFB.54D1B24A-ON422568AE.0046EC86@aladdin.co.il>
Date: Sun, 26 Mar 2000 14:57:11 +0200
Reply-To: alonr@EALADDIN.COM
From: Alon Rotem <alonr@EALADDIN.COM>
X-To: "Lea, Michael" <MLea@mpi.mb.ca>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Please let me correct you: attachments for emails that are sent in an HTML
format (i.e. in "text/html") are scanned according to your eSafe Gateway
policy rules. Thus, your predicted scenario will fail.
Sincerely,
Alon Rotem
On 24/03/2000 16:17:52 CST "Lea, Michael" wrote:
>
>Alon Rotem wrote:
>> As I wrote in my reply , if you are afraid of such incidents, you may
>> configure eSafe Gateway scan each and every file, regardless of their
>> extension. Of course this will have an effect on your network
performance,
>> since the majority of files going though the net are not harmful.
>> A worried administrator can implement this alternative configuration
>within
>> seconds. There is no 100% security, but eSafe Gateway offers a very
good,
>> very reliable, solution for any network administrator.
>
>If it was as simple as setting eSafe to scan all file extensions, I don't
>think anybody would have a problem. But what some people seem to be
missing
>here is the second part of Hugo's message:
>
>Hugo van der Kooij wrote:
>> The problem is that anything with the MIME type set to TEXT/HTML will
not
>> be scanned regardless of the options recommended above.
>
>Even if the eSafe Gateway is configured to check all file-types, it still
>passes through files with a MIME type of text/html, regardless of
extension.
>There doesn't seem to be a way of turning this off and scanning all MIME
>types.
>
>People also seem to be missing the fact that this affects not only HTTP
>traffic, but also e-mail messages.
>
>Here's an easy illustration, that doesn't require any abnormal
intervention
>on the part of the "victim". An attacker sends a document infected with
his
>favorite macro virus to his victim in an e-mail message. The attachment
is
>identified with a MIME type of text/html, so the eSafe Gateway passes it
>through unchallenged. The victim double-clicks on the attachment and the
>mail client opens the document in the appropriate program, possibly
without
>any warnings whatsoever (Outlook 97 doesn't prompt for MS Office documents
>... others?). Voila! You've just infected your first victim.
>
>At a bare minimum, the eSafe Gateway should give the option of scanning
all
>files, regardless of MIME type. Ideally, it would also have the option of
>examining the CONTENT of the file to determine whether or not it is worth
>scanning. Using "magic numbers" to identify files is nothing new. Unix
>people can take a look at the "file" which has been using this concept to
>identify file types almost since the beginning of time.
>
>I hope everybody's got current anti-virus signatures on their
workstations.
>:-(
>
>Michael Lea
>Information Security
>Manitoba Public Insurance
>Phone: (204) 985-8224
