NAI ftp server is case sensitive - GroupShield 5.2 stops updating

From: Richard Carde (rcarde_at_OPTUSHOME.COM.AU)
Date: 01/14/05

  • Next message: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
    Date:         Fri, 14 Jan 2005 09:52:49 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NAI/McAfee have recently updated their FTP server to be case-sensitive and
    this affects GS5.2 updates (via proxy servers).

    GS5.2 is configures to request updates from
    ftp.nai.com/pub/antivirus/datfiles/4.x. It automatically requests DELTA.INI
    (uppercase) from that directory.

    From our proxy logs, GS 5.2 make the following request (note the
    TCP_MISS/404 errors):

    192.168.1.250 TCP_MISS/404 1406 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
    DIRECT/208.254.18.147 text/html

    192.168.1.250 TCP_MISS/404 1406 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
    DIRECT/208.254.18.148 text/html

    192.168.1.250 TCP_MISS/200 222 GET
    ftp://ftp.nai.com/pub/antivirus/datfiles/4.x - DIRECT/208.254.18.147
    text/html

    The third entry in the proxy log I presume is a directory listing request -
    which does not produce a listing I presume because it should have a trailing
    '/'. A manual request from a proxy server using telnet shows that only a
    host header is returned.

    To verify the existence of the file, their FTP server shows the following:

    ftp> cd /pub/antivirus/datfiles/4.x
    ...
    ftp> ls
    ...
    150 Opening ASCI mode data connection for /pub/antivirus/datfiles/4.x/.
    ...
    -rw-rw-rw- 1 0 0 1303 Jan 12 10:25 delta.ini

    I am reviewing the issue with NAI support now, and am trying to get to the
    bottom of it. Has anyone else noticed?

    Regards
     Richard Carde

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Russ: "FW: NAI ftp server is case sensitive - GroupShield 5.2 stops updating"

    Relevant Pages

    • Re: ISA Server Error 421
      ... from the ISA server to retrieve a file, ... FTP client connection makes the request in a different, ... the FTP server improperly handles this ...
      (microsoft.public.isa.clients)
    • Re: Is the way i do, secure enought to avoid session hijacking
      ... AOL requests are forwarded via proxy servers - each request is 'round ... > change within the same client session. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: [SLE] SMART Behind Firewalls
      ... On Thursday 07 September 2006 14:40, Marius Roets wrote: ... can request a file. ... However by default the FTP server will try and open a ... My next step Marius, would be to break out Ethereal, and see if the HTTP ...
      (SuSE)
    • Re: Setting Default Owner of a File
      ... protection NOT ownership as initially requested. ... in order for the initial request to work properly WITH disk quotas. ... Possibly a different FTP server would behave differently in this ...
      (comp.os.vms)
    • Re: Setting Default Owner of a File
      ... protection NOT ownership as initially requested. ... in order for the initial request to work properly WITH disk quotas. ... Possibly a different FTP server would behave differently in this ...
      (comp.os.vms)