Re: eSafe: Could this be exploited?

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 07/24/04

  • Next message: Francisco Alisson: "Easyins Stadtportal" 
    Date: Sat, 24 Jul 2004 15:27:43 +0400
To: Hugo van der Kooij <hvdkooij@vanderkooij.org>

    Dear Hugo van der Kooij,

    --Friday, July 23, 2004, 10:21:22 PM, you wrote to bugtraq@securityfocus.com:

    HvdK> Both as NitroEngine or CVP server they will push as much of 80% to the
    HvdK> end-user before they stop a virus. Then they rely on the adding of the
    HvdK> exact URL so that URL can be blocked in all next requests.

    It depends on how antiviral check is actually implemented. If connection
    is broken immediately after signature is detected - there is no way to
    download infected file, because signature will not pass to client and
    client will not be able to use "Range:" header to resume partially
    downloaded file.

    If antiviral filter checks data _after_ all data received from client
    with 20% buffering yes, it's possible to bypass this check for HTTP,
    because there is no way (at least for HTTP/1.0 and FTP) to indicate
    error to client and make him to delete partially downloaded data.

    You can check it, by sending EICAR with some additional data: if you can
    find EICAR signature on the client after connection is broken by
    antiviral filter you can bypass it's protection. 

    -- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
  • Next message: Francisco Alisson: "Easyins Stadtportal"

    Relevant Pages

    • Re: eSafe: Could this be exploited?
      ... > HvdK> exact URL so that URL can be blocked in all next requests. ... > is broken immediately after signature is detected - there is no way to ... > download infected file, because signature will not pass to client and ... > error to client and make him to delete partially downloaded data. ...
      (Bugtraq)
    • RE: SBS 2003 Premium: how to allow FTP .EXE downloads
      ... Disable the problematic client XP firewall, ... click to check the "Hide All Microsoft Services" ... Is the FTP server on SBS? ... Download the file from the following URL: ...
      (microsoft.public.windows.server.sbs)
    • Re: detecting successful downloads and browser buffering
      ... connection is to the proxy, not the client. ... to bullet proof the download, you would need to supply an active/x control ... that wrote the file and updated the server on successful write to disk. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Symantec AV signature corruption
      ... The vendor response on this issue may have been a bit light on detail ... Users logged in in the morning and applied dodgy sigs. ... Had to write script to manually rollback to last signature, ... Client accepted sigs silently, and effectively had zero viruses in the ...
      (NT-Bugtraq)
    • Re: how to read debian-user as newsgroup using Evolution
      ... Hash: SHA1 ... I've been wondering for a while whether I can 'evolution' ... When using a client to read news, ... and then select the messageyou want to download. ...
      (Debian-User)