[14434] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Ian Turner)
Tue Mar 28 11:54:27 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10003272213550.12646-100000@crafter.house>
Date: Mon, 27 Mar 2000 22:15:21 -0800
Reply-To: vectro@PIPELINE.COM
From: Ian Turner <vectro@PIPELINE.COM>
X-To: "Lea, Michael" <MLea@MPI.MB.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C0E5077572DCD211812B00A0C95A0A1F0285DA20@NTEXCH01>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> At a bare minimum, the eSafe Gateway should give the option of scanning all
> files, regardless of MIME type. Ideally, it would also have the option of
> examining the CONTENT of the file to determine whether or not it is worth
> scanning. Using "magic numbers" to identify files is nothing new. Unix
> people can take a look at the "file" which has been using this concept to
> identify file types almost since the beginning of time.
The problem with magic is that it can be forged. It would be fairly
straightforward to come up with a virus or trojan that had the magic of a
PDF file: Just have a JMP instruction at the beginning to skip over the
magic.
No, everything should be scanned, no matter what. Unfortunately there are
performance issues associated with this strategy.
Ian Turner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE44E37fn9ub9ZE1xoRAqbeAKCt4FPMntKQ7XDvBM7g3sMttHO1SwCg4LjB
S6rISjUSXa3msVCkgf309Xc=
=O8wX
-----END PGP SIGNATURE-----
