lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <04ae01c3c93e$c05c36d0$c064020a@STARDEVALEXSHIPP>
From: ashipp at messagelabs.com (Alex Shipp)
Subject: Avecho Glasswall Anti virus technolog?

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".

I evaluated their product earlier this year, with the view of incorporating
their engine into our services. However, I quickly took the view that it
was not an anti-virus engine (as advertised) but a rewriting content filtering 
engine.

What follows are my deductions from the emails I sent through, and therefore
may not correctly reflect the actual behaviour of the system. Also, it may
well have changed since our tests - we reported all the bugs we found, and
I expect most have been fixed for a while now.

The system attempted to stop all executable content from getting through. Where
an attachment was just executable content, such as an EXE file, it was blocked.
Where the attachment was executable+data, such as an Office document with macros,
the attachment was rewritten to remove the executable content, but leave the data.
So Office documents had all macros stripped. Similarly, HTML emails containing
'nasty' tags had these stripped. Sometimes the executable could not be stripped,
in which case the email is stopped. For instance, this happened with HTML
emails containing scripts. The rewriting also happens in other cases. For instance
BMP files had spurious data at the end of the file removed. TXT documents had
whitespace at the end of line removed. There was also a bug which added a blank
line at the beginning of each text document, but I expect this is fixed now.
Unrecognised files are blocked. So if you send unusual data files, these will 
be stopped. When I tested, they only recognised a few of the most common file
types. For instance, they could cope with ZIP, but not RAR. However, they tell me 
they have added hundreds more types since we tested. Also it is fairly easy to add
more types, so if you do send unusual data types, these can be added quickly.
Encrypted files count as unrecognised, so sending an encrypted ZIP will
also be stopped. The email itself was also rewritten, presumably to stop
exploits which rely on misformed headers. Text files appeared to be statistically
analysed, some random files we sent through were stopped - eg for containing
a 0x7F character or not enough spaces. They tell me that the system is OK with 
foreign languages and signed mail, but we did not test this.

Considering their claim to stop all viruses, their product has at least three 
potential areas we identified where it could be exploited.

Firstly, they need to fully understand all file format they support. Otherwise
an executable can be smuggled in without them realising.

Secondly, they need to be able to be able to recognised malformed MIME.
Otherwise an executable can be smuggled in without them realising.

Thirdly, they need to be able to exactly identify all data files. Otherwise,
an attachment of one type can be smuggled in as an attachment of another type.

The first two areas can be closed by their diligence and hard work; if a hole
becomes known, they can update their code. The third area is (I believe) unsolvable.
Some data files are essentially free-format - eg text files, so to determine 
whether a 'text' file is actually execuatable becomes equivalent to solving the 
Halting problem (mentioned by Nick in his email) which is unsolvable.

Although these flaws debunk the 'never let a virus through' claim, my judgement
is that the product will still protect against the common horde of mass mailers,
since these are all in common file formats, using standard MIME, and are fairly 
easy to identify as executable code. Where the user would be most vulnerable  
is to a crafted attack aiming at getting some kind of trojan or other malware
into a specific organisation. 

So, the product was not usable by us - it would have caused a massive false
positive problem, and doesn't really add anything to our offerings, but I think 
there is a market for it for those  companies/individuals who need that 
particular type of content filtering.

Caveat emptor: Avecho are potentially a competitor of ours, so make your own 
judgement on my comments. 

Regards,

Alexs
-----------------------------------------
Alex Shipp
Senior Anti-Virus Technologist
MessageLabs

Company Registration No - 3834506


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ