Re: PenTesting Email AntiVirus

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 05/17/02


Date: Fri, 17 May 2002 14:24:31 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: "Rainer Duffner" <rainer@ultra-secure.de>, pen-test@securityfocus.com

I think no matter what you do, you can never stay abreast of new viruses keep popping every now and then, even if you have a virus scanning email server, It's more likely that a new virus will pass through beause it's very new or maybe your virus signature file is not updated.
I think one should only expect *many* virus emails to be scanned and rejected or whatever via email server, but STILL take great care *as usual to not to recieve and run an .exe/.com/.bat/.vbs etc. files* recieved via email.

-back to the pen-testing point, well yeah sending viruses as .ppt and as excel files is another way, but you can also try sending it in .tgz / .tar / .cpio / .uu (uuencoded) / .avi / .mpg formats.

This will check that whether the antivirus scans only .exe files for known virus signatures or does it check every attachment?

anyways , Goodluck!

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------

--- "Rainer Duffner" <rainer@ultra-secure.de> wrote:
>Ilici Ramirez writes:
>
>> Hello,
>>
>> What ways do you know to pen-test email antivirus
>> software?
>
>I'd try to pack various combinations of different file-formats into
>each other (OLE-container).
>E.g., if they have disabled .exe to enter or leave the LAN, try sticking
>it into an Excel or PPT-file.
>It should not work, but that's what you're supposed to find out.
>;-)
>Of course, with webmail-over-https this is 80% pointless nowadays...
>
>
>> A cool one that has been published before is to zip a
>> very large file that contains the same character. The
>> result, a very small file attached to an email could
>> deplete resources on the antivirus server. Do you know
>> any AV exploitable with this?
>
>It's called 42.zip and there has been a discussion about this once in a
>while. Search the archives.
>
>
>cheers,
>Rainer
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Rainer Duffner Munich
>rainer@ultra-secure.de Germany
>http://www.i-duffner.de Freising
>========================================
> When shall we three meet again
> In thunder, lightning, or in rain?
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: pen test help please asap
    ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: CFM SQL injection
    ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: ettercap help
    ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)