[15406] in bugtraq
Re: NAI WebShield SMTP does not scan base64 encoding
daemon@ATHENA.MIT.EDU (chris.paget@ANALYSYS.COM)
Tue Jun 20 16:56:34 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <3950bada.11234837@eagle.analysys.com>
Date: Tue, 20 Jun 2000 18:52:28 GMT
Reply-To: chris.paget@ANALYSYS.COM
From: chris.paget@ANALYSYS.COM
X-To: "Fronck, Destry" <DFronck@FDIC.gov>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <A77C85E8B7BCD0118AD9080009DC786D05069251@s01exc101.fdic.gov>
Content-Transfer-Encoding: 8bit
MS-TNEF is not used at any point in the process; neither is Outlook,
nor Rich Text. The messages are plain text (a renamed copy of my
autoexec.bat) being sent using Forte Agent - nothing Microsoft. The
MIME types I have tried include application/octet-stream and
text/plain - in neither case is the VBS / SHS file blocked. The only
difference that I can see between this setup and another machine using
Outlook (from which messages get blocked) is the encoding type -
base64 instead of 8bit.
If the attachment is indeed a known virus, it appears to be detected
and cleaned; however, I am trying to block ALL potentially malicious
attachments, and base64 encoding appears to circumvent those checks.
Chris
--
Chris Paget
Software Engineer, Analysys LTD.
chris.paget@analysys.com
mad.nutter@mindless.com
On Tue, 20 Jun 2000 14:37:46 -0400, you wrote:
>Chris,
>This problem is not caused by base64 encoding. It is caused by the message
>being encoded in MS-TNEF (Microsoft Transport Neutral Encapsulation Format.)
>and then getting base64 encoded. MS-TNEF is used when Outlook sends Rich
>Text information over the Internet.
>
>NAI knows that this is a problem but they have been unable to fix it. Here's
>my message to NAI and their response.
>-------------------------------
> -----Original Message-----
> From: Jon
> Sent: Tuesday, May 09, 2000 7:55 PM
> To: Fronck, Destry
> Subject: RE: Webshield smtp 4.03 virus gateway
>
> Destry,
>
> I talked to the Webshield guys and they said you are
>completely correct. Not only that but NO company can scan those files
>including ours. They did provide an article that may be of help to you.
>
> <<WebShield_MS-TNEF.doc>>
>
> Thanks
>
>
> Jon
> --------------------------------------
> Network Associates
> Who's watching your network?
> -------------------------------------
>
> -----Original Message-----
> From: Fronck, Destry
>[mailto:DFronck@FDIC.gov]
> Sent: Monday, May 08, 2000 7:38 AM
> To: Jon
> Cc: FDIC-CSIRT
> Subject: Webshield smtp 4.03 virus
>gateway
> Importance: High
>
> Jon, I have discovered a problem with the
>WebShield smtp 4.03 virus gateway for NT. We have had several instances of
>the ILOVEYOU virus getting past the virus gateway. All of these were
>detected by the VShield 4.03 desktop scanner. Both products are running the
>same dat files; 4076 and the latest extra.dat.
>
> The problem is that the gateway does not
>appear to scan MS-TNEF (Microsoft Transport Neutral Encapsulated Format)
>content. This content is typically encapsulated in MIME like so
>
> ------_=_NextPart_000_01BFB8C1.7FC25C8A
> Content-Type: application/ms-tnef
> Content-Transfer-Encoding: base64
>
> Can you verify this?
> Does WebShield 4.5 fix this? Can you verify
>this?
>
> Thanks,
> Destry Fronck
>-----------------------------------------------
>Thanks,
> Destry Fronck
>
>-----Original Message-----
>From: chris.paget@ANALYSYS.COM [mailto:chris.paget@ANALYSYS.COM]
>Sent: Tuesday, June 20, 2000 9:08 AM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: NAI WebShield SMTP does not scan base64 encoding
>
>While investigating todays virus outbreak (Stages.Worm), I noticed
>that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
>DAT 4.0.4082, 14/06/00) was not picking up all attachments.
>The server is configured to block all SHS, VBS, etc attachments, and
>notify the sender. However, when these are sent as Base64 encoding
>(rather than 8-bit), they are passed by the server, and could
>potentially infect the network. 8-bit attachments are successfully
>scanned (and blocked if necessary).
>
>Chirs
