NAI ftp server is case sensitive - GroupShield 5.2 stops updating

From: Richard Carde (rcarde_at_OPTUSHOME.COM.AU)
Date: 01/14/05

  • Next message: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
    Date:         Fri, 14 Jan 2005 09:52:49 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NAI/McAfee have recently updated their FTP server to be case-sensitive and
    this affects GS5.2 updates (via proxy servers).

    GS5.2 is configures to request updates from
    ftp.nai.com/pub/antivirus/datfiles/4.x. It automatically requests DELTA.INI
    (uppercase) from that directory.

    From our proxy logs, GS 5.2 make the following request (note the
    TCP_MISS/404 errors):

    192.168.1.250 TCP_MISS/404 1406 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
    DIRECT/208.254.18.147 text/html

    192.168.1.250 TCP_MISS/404 1406 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
    DIRECT/208.254.18.148 text/html

    192.168.1.250 TCP_MISS/200 222 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x - DIRECT/208.254.18.147
    text/html

    The third entry in the proxy log I presume is a directory listing request -
    which does not produce a listing I presume because it should have a trailing
    '/'. A manual request from a proxy server using telnet shows that only a
    host header is returned.

    To verify the existence of the file, their FTP server shows the following:

    ftp> cd /pub/antivirus/datfiles/4.x
    ...
    ftp> ls
    ...
    150 Opening ASCI mode data connection for /pub/antivirus/datfiles/4.x/.
    ...
    -rw-rw-rw- 1 0 0 1303 Jan 12 10:25 delta.ini

    I am reviewing the issue with NAI support now, and am trying to get to the
    bottom of it. Has anyone else noticed?

    Regards
     Richard Carde

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"