RE: Bypassing quarantine with ADS formatted filenames

From: Ross, George (george.ross_at_atlahq.org)
Date: 06/07/04

  • Next message: Locher Thomas: "Alternative to Windows Explorer"
    Date: Mon, 7 Jun 2004 14:05:05 -0400
    To: "Naren" <naren@pactech.net>, "Jack Cullen" <jack_cullen@hotmail.com>, <security-basics@securityfocus.com>
    
    

    I agree with Naren. It's important to do a tier approach to virus
    detection as well.

    -----Original Message-----
    From: Naren [mailto:naren@pactech.net]
    Sent: Saturday, June 05, 2004 11:59 PM
    To: Jack Cullen; security-basics@securityfocus.com
    Subject: Re: Bypassing quarantine with ADS formatted filenames

    u need to get application aware gateways, which look at the application,
    not the extension.

    Then, this can be stopped. There are few in the market.

    Naren
    Singapore
    ----- Original Message -----
    From: "Jack Cullen" <jack_cullen@hotmail.com>
    To: <security-basics@securityfocus.com>
    Sent: Friday, June 04, 2004 11:46 PM
    Subject: Bypassing quarantine with ADS formatted filenames

    > Is it possible to get file attachments past AV software by using
    > alternate data stream type filenames? We have set McAfee GroupShield
    > to quarantine all .zip files yet several people have received messages

    > with .zip attachments that came in the following formats:
    >
    > The attachment 'Informations.zip:Informations.txt'
    > -or-
    > The attachment 'sample01.zip:data.rtf
    > .scr'
    >
    > _________________________________________________________________
    > Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months
    > FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/
    >
    >
    > ----------------------------------------------------------------------
    > ----
    -
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545

    > off any course! All of our class sizes are guaranteed to be 10
    > students or
    less
    > to facilitate one-on-one interaction with one of our expert
    > instructors. Attend a course taught by an expert instructor with years

    > of in-the-field pen testing experience in our state of the art hacking

    > lab. Master the
    skills
    > of an Ethical Hacker to better assess the security of your
    > organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > ----------------------------------------------------------------------
    > ----

    --
    >
    >
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Locher Thomas: "Alternative to Windows Explorer"