[<prev] [next>] [day] [month] [year] [list]
Message-ID: <04ae01c3c93e$c05c36d0$c064020a@STARDEVALEXSHIPP>
From: ashipp at messagelabs.com (Alex Shipp)
Subject: Avecho Glasswall Anti virus technolog?
> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".
I evaluated their product earlier this year, with the view of incorporating
their engine into our services. However, I quickly took the view that it
was not an anti-virus engine (as advertised) but a rewriting content filtering
engine.
What follows are my deductions from the emails I sent through, and therefore
may not correctly reflect the actual behaviour of the system. Also, it may
well have changed since our tests - we reported all the bugs we found, and
I expect most have been fixed for a while now.
The system attempted to stop all executable content from getting through. Where
an attachment was just executable content, such as an EXE file, it was blocked.
Where the attachment was executable+data, such as an Office document with macros,
the attachment was rewritten to remove the executable content, but leave the data.
So Office documents had all macros stripped. Similarly, HTML emails containing
'nasty' tags had these stripped. Sometimes the executable could not be stripped,
in which case the email is stopped. For instance, this happened with HTML
emails containing scripts. The rewriting also happens in other cases. For instance
BMP files had spurious data at the end of the file removed. TXT documents had
whitespace at the end of line removed. There was also a bug which added a blank
line at the beginning of each text document, but I expect this is fixed now.
Unrecognised files are blocked. So if you send unusual data files, these will
be stopped. When I tested, they only recognised a few of the most common file
types. For instance, they could cope with ZIP, but not RAR. However, they tell me
they have added hundreds more types since we tested. Also it is fairly easy to add
more types, so if you do send unusual data types, these can be added quickly.
Encrypted files count as unrecognised, so sending an encrypted ZIP will
also be stopped. The email itself was also rewritten, presumably to stop
exploits which rely on misformed headers. Text files appeared to be statistically
analysed, some random files we sent through were stopped - eg for containing
a 0x7F character or not enough spaces. They tell me that the system is OK with
foreign languages and signed mail, but we did not test this.
Considering their claim to stop all viruses, their product has at least three
potential areas we identified where it could be exploited.
Firstly, they need to fully understand all file format they support. Otherwise
an executable can be smuggled in without them realising.
Secondly, they need to be able to be able to recognised malformed MIME.
Otherwise an executable can be smuggled in without them realising.
Thirdly, they need to be able to exactly identify all data files. Otherwise,
an attachment of one type can be smuggled in as an attachment of another type.
The first two areas can be closed by their diligence and hard work; if a hole
becomes known, they can update their code. The third area is (I believe) unsolvable.
Some data files are essentially free-format - eg text files, so to determine
whether a 'text' file is actually execuatable becomes equivalent to solving the
Halting problem (mentioned by Nick in his email) which is unsolvable.
Although these flaws debunk the 'never let a virus through' claim, my judgement
is that the product will still protect against the common horde of mass mailers,
since these are all in common file formats, using standard MIME, and are fairly
easy to identify as executable code. Where the user would be most vulnerable
is to a crafted attack aiming at getting some kind of trojan or other malware
into a specific organisation.
So, the product was not usable by us - it would have caused a massive false
positive problem, and doesn't really add anything to our offerings, but I think
there is a market for it for those companies/individuals who need that
particular type of content filtering.
Caveat emptor: Avecho are potentially a competitor of ours, so make your own
judgement on my comments.
Regards,
Alexs
-----------------------------------------
Alex Shipp
Senior Anti-Virus Technologist
MessageLabs
Company Registration No - 3834506
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
Powered by blists - more mailing lists