Re: Antigen for Exchange w/SSM 2.0 beta

From: Matt Cohen (mcohen_at_EXC.SYBARI.COM)
Date: 10/28/03

  • Next message: Jeff Moss: "Black Hat Briefings Announcement" 
    Date:         Tue, 28 Oct 2003 16:46:40 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    In response to the Antigen for Exchange w/SSM 2.0 beta issue, Antigen will scan a file for a configurable value, which defaults to 2 1/2 minutes. This is for the internet scan as well as the realtime scan. At that point, if we have not yet completed the scan you can configure Antigen to handle these messages in one of three ways via our General Options panel.

    1.Skip, Detect Only
    2.Ignore
    3.Delete

    So, in the rare event that a large zip file, for example, comes through the
    environment and contains a malicious file, we can defend against it.

    The administrator also has the ability to change the amount of time Antigen
    scans a file before this occurs. There are two hidden registry keys that
    can be added to do this:

    Internettimeout
    Realtimetimeout

    If desired, you can add these keys to the registry (
    HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange)
    and define, in milliseconds, our scan time. Again, by default, it is
    150,000 milliseconds (2 1/2 minutes).

    -----Original Message-----
    From: Joe Chromcik [mailto:JChromcik@MIDDLEATLANTIC.COM]
    Sent: Tuesday, October 14, 2003 10:45 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Antigen for Exchange w/SSM 2.0 beta

    I am involved with a beta test of Antigen for Exchange w/SSM 2.0 and
    received the following error:

    Antigen real-time scan timed out and recovered. Please contact Sybari.

    Further investigation into the programlog.txt file reveled:

    Wed Oct 08 19:37:05 2003 (1312), "ERROR: Real-time scan exceeded the
    allotted scan time limit"

    I contacted Sybari tech support and was told the following:

    Any time Antigen aborts on a file due to size, it is not infected. There are
    no worms/viruses that are written in code so large we can not finish
    scanning it. We have had zero incidents of infection due to us letting a
    file through that was humongous and contained malicious code.
    I guess Antigen is relying on the exchange box has limits setup.

    ****************************************************************************
    If this email is not intended for you, or you are not responsible for the delivery of this message to the addressee, please note that this message may contain MAP Privileged/Proprietary Information. In such a case, you may not copy or deliver this message to anyone. You should destroy this message and kindly notify the sender by reply email. Information contained in this message that does not relate to the business of MAP is neither endorsed by nor attributable to MAP.
    **************************************************************************** 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Jeff Moss: "Black Hat Briefings Announcement"