Re: Aladdin response regarding eSafe

• Previous message: Rubйn Molina: "Jaws 0.4: authentication bypass"
• In reply to: Ofer Elzam: "Aladdin response regarding eSafe"
• Next in thread: Aleksandar Milivojevic: "Re: Aladdin response regarding eSafe"
• Reply: Aleksandar Milivojevic: "Re: Aladdin response regarding eSafe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 Jul 2004 21:45:03 +0400
To: Ofer Elzam <ofere@hotmail.com>

Dear Ofer Elzam,

Of cause, this approach makes no problems in catching, for example,
known ITW worms as executables or archives. Problems begin if you're
trying to catch, lets say sites with Internet Explorer trojans. Remember
Scob? Imagine what happens if Scob added to a page as a header instead
of a footer. 80% and even 5% of the page have a good chance to contain
fully working version of Scob before connection is terminated by filter.

I know this problem it not eSafe specific. In fact, I don't know
antiviral engine capable to catch signature in the stream of data
immediately after signature is arrived in the stream. All antiviral
engines I tested (KAV, ClamAV and others) are file-oriented. It makes it
impossible to code good antiviral protection for proxy server with this
engines.

--Wednesday, July 28, 2004, 7:52:14 PM, you wrote to bugtraq@securityfocus.com:

OE> In-Reply-To: <18610004519.20040724152743@SECURITY.NNOV.RU>

OE> eSafe Gateway uses a default value of 80% file download before
OE> first inspection of executable files from HTTP servers. This value
OE> can be changed to as low as 5% if desired.
OE> We feel that the 80% gives a good balance between user
OE> experience and security needs. Customers would usually want to see a
OE> fast moving download progress bar. If we set the value to 5% - the
OE> progress bar will move just a little bit (5%) when downloading and
OE> the remaining 95% very fast as eSafe finishes the inspection. This
OE> annoys users.

OE> If antiviral filter checks data _after_ all data received from client
OE> with 20% buffering yes, it's possible to bypass this check for HTTP,
OE> because there is no way (at least for HTTP/1.0 and FTP) to indicate
OE> error to client and make him to delete partially downloaded data.

-- 
~/ZARAZA
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)

• Previous message: Rubйn Molina: "Jaws 0.4: authentication bypass"
• In reply to: Ofer Elzam: "Aladdin response regarding eSafe"
• Next in thread: Aleksandar Milivojevic: "Re: Aladdin response regarding eSafe"
• Reply: Aleksandar Milivojevic: "Re: Aladdin response regarding eSafe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]