GFI E-mail Test with F-prot
Julian Field
jkf at ecs.soton.ac.uk
Sun Feb 3 10:12:35 GMT 2002
At 09:52 03/02/2002, you wrote:
>At 03:10 03/02/2002, you wrote:
>>Has anyone tried the email test from
>>http://www.gfi.com/emailsecuritytest for virus vulnerabilities?
>>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of
>>the 6 infected messages were detected. The test included the following:
>>
>>o VBS file vulnerability test
>>o CLSID extension vulnerability test
>>o MIME header vulnerability test
>>o ActiveX vulnerability test
>>o Malformed file extension vulnerability test (for Outlook 2002 -
>>XP)
>>o CLSID extension vulnerability test (for Outlook 2002 - XP)
>>
>>Mailscanner only detected the MIME header and VBS payloads. What kind of
>>adjustments can I make to catch the rest or is it an F-Prot issue?
I've justed this lot on our own systems, using Eudora as the client on a
properly patched Win2k system.
The only one that I am vulnerable to at all is the CLSID extension test,
and even that didn't really work as Eudora showed the entire filename,
including the CLSID. However, if you want to block filenames ending in
CLSID's, add this to your filename.rules.conf (remember to separate the 4
bits of the line with tab characters!):
deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real
extension Files ending in CLSID's are trying to hide their real extension
The other tests just either failed to do anything at all, or left me
staring at a message window full of (unexecuted) JavaScript which wasn't
very exciting :-)
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list