NAI ftp server is case sensitive - GroupShield 5.2 stops updating

• Previous message: Ivan Jones: "Running IE with decreased privileges"
• Next in thread: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
• Maybe reply: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 14 Jan 2005 09:52:49 +1000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NAI/McAfee have recently updated their FTP server to be case-sensitive and
this affects GS5.2 updates (via proxy servers).

GS5.2 is configures to request updates from
ftp.nai.com/pub/antivirus/datfiles/4.x. It automatically requests DELTA.INI
(uppercase) from that directory.

From our proxy logs, GS 5.2 make the following request (note the
TCP_MISS/404 errors):

192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.147 text/html

192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.148 text/html

192.168.1.250 TCP_MISS/200 222 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x - DIRECT/208.254.18.147
text/html

The third entry in the proxy log I presume is a directory listing request -
which does not produce a listing I presume because it should have a trailing
'/'. A manual request from a proxy server using telnet shows that only a
host header is returned.

To verify the existence of the file, their FTP server shows the following:

ftp> cd /pub/antivirus/datfiles/4.x
...
ftp> ls
...
150 Opening ASCI mode data connection for /pub/antivirus/datfiles/4.x/.
...
-rw-rw-rw- 1 0 0 1303 Jan 12 10:25 delta.ini

I am reviewing the issue with NAI support now, and am trying to get to the
bottom of it. Has anyone else noticed?

Regards
 Richard Carde

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: Ivan Jones: "Running IE with decreased privileges"
• Next in thread: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
• Maybe reply: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]