[35867] in bugtraq
Re: eSafe: Could this be exploited?
daemon@ATHENA.MIT.EDU (Hugo van der Kooij)
Wed Jul 28 00:24:56 2004
Date: Mon, 26 Jul 2004 22:26:39 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: bugtraq@securityfocus.com
In-Reply-To: <8ced05f50407252226575ec4f9@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0407262219280.8540@gandalf.hugo.vanderkooij.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 26 Jul 2004, MegaHz wrote:
> I have tested it out, and esafe blocked the hole email that contains
> the eicar virus.
> Of course I have configure esafe to block virus infected emails
> instead of modifying them and removing the virus.
SMTP (or SMTP via CVP) is handled as a store and forward mechanisme. Hence
the 80% rule does not apply.
The issue was seen with both v3.5 in CVP mode as well as v4 in bridging
mode. No further labtest were done to see if a full live EICAR version
could be passed along.
If someone is able to create a test executable based on the EICAR string
the point might be proven. Unfortunatly I am not a programmer and lack
window compiler tools all together. But if someone thinks (s)he can create
a sample binary that may run when the last bit is shot to pieces and still
contain a valid EICAR definition to show to the screen the issue might be
proven.
Putting it on a webserver and posting the URL would allow anyone who wants
to to verify the issue themselves.
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
