GFI E-mail Test with F-prot

[Julian Field]

At 09:52 03/02/2002, you wrote:
>At 03:10 03/02/2002, you wrote:
>>Has anyone tried the email test from
>>http://www.gfi.com/emailsecuritytest for virus vulnerabilities?
>>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of
>>the 6 infected messages were detected. The test included the following:
>>
>>o       VBS file vulnerability test
>>o       CLSID extension vulnerability test
>>o       MIME header vulnerability test
>>o       ActiveX vulnerability test
>>o       Malformed file extension vulnerability test (for Outlook 2002 -
>>XP)
>>o       CLSID extension vulnerability test (for Outlook 2002 - XP)
>>
>>Mailscanner only detected the MIME header and VBS payloads. What kind of
>>adjustments can I make to catch the rest or is it an F-Prot issue?

I've justed this lot on our own systems, using Eudora as the client on a
properly patched Win2k system.

The only one that I am vulnerable to at all is the CLSID extension test,
and even that didn't really work as Eudora showed the entire filename,
including the CLSID. However, if you want to block filenames ending in
CLSID's, add  this to your filename.rules.conf (remember to separate the 4
bits of the line with tab characters!):

deny    \{[a-hA-H0-9-]{25,}\}$  Filename trying to hide it's real
extension     Files ending in CLSID's are trying to hide their real extension

The other tests just either failed to do anything at all, or left me
staring at a message window full of (unexecuted) JavaScript which wasn't
very exciting :-)
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ