lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <466468026.20040728214503@SECURITY.NNOV.RU>
Date: Wed, 28 Jul 2004 21:45:03 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Ofer Elzam <ofere@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Aladdin response regarding eSafe


Dear Ofer Elzam,

Of  cause,  this  approach  makes  no problems in catching, for example,
known  ITW  worms  as  executables or archives. Problems begin if you're
trying to catch, lets say sites with Internet Explorer trojans. Remember
Scob?  Imagine  what happens if Scob added to a page as a header instead
of  a  footer. 80% and even 5% of the page have a good chance to contain
fully working version of Scob before connection is terminated by filter.

I  know  this  problem  it  not  eSafe  specific.  In fact, I don't know
antiviral  engine  capable  to  catch  signature  in  the stream of data
immediately  after  signature  is  arrived  in the stream. All antiviral
engines I tested (KAV, ClamAV and others) are file-oriented. It makes it
impossible  to code good antiviral protection for proxy server with this
engines.


--Wednesday, July 28, 2004, 7:52:14 PM, you wrote to bugtraq@...urityfocus.com:

OE> In-Reply-To: <18610004519.20040724152743@...URITY.NNOV.RU>

OE> eSafe Gateway uses a default value of 80% file download before
OE> first inspection of executable files from HTTP servers. This value
OE> can be changed to as low as 5% if desired.
OE> We feel that the 80% gives a good balance between user
OE> experience and security needs. Customers would usually want to see a
OE> fast moving download progress bar.  If we set the value to 5% - the
OE> progress bar will move just a little bit (5%) when downloading and
OE> the remaining 95% very fast as eSafe finishes the inspection.  This
OE> annoys users.


OE> If  antiviral  filter  checks data _after_ all data received from client
OE> with  20%  buffering  yes,  it's possible to bypass this check for HTTP,
OE> because  there  is  no  way  (at least for HTTP/1.0 and FTP) to indicate
OE> error to client and make him to delete partially downloaded data.

-- 
~/ZARAZA
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ