GFI E-mail Test with F-prot
Rose, Bobby
brose at MED.WAYNE.EDU
Sun Feb 3 17:38:09 GMT 2002
Their .hta attachment made it thru and after checking mailscanner is
letting any attachment thru that ends in a period. So a rule for
trailing periods might be needed also. This seems to work on that note.
deny \.$ Deny all attachments with trailing periods
Files ending in periods are considered malformed and attempt to hide the
real filename extension.
-----Original Message-----
From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK]
Sent: Sunday, February 03, 2002 5:13 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: GFI E-mail Test with F-prot
At 09:52 03/02/2002, you wrote:
>At 03:10 03/02/2002, you wrote:
>>Has anyone tried the email test from
>>http://www.gfi.com/emailsecuritytest for virus vulnerabilities? Using
>>Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of the
>>6 infected messages were detected. The test included the following:
>>
>>o VBS file vulnerability test
>>o CLSID extension vulnerability test
>>o MIME header vulnerability test
>>o ActiveX vulnerability test
>>o Malformed file extension vulnerability test (for Outlook 2002
-
>>XP)
>>o CLSID extension vulnerability test (for Outlook 2002 - XP)
>>
>>Mailscanner only detected the MIME header and VBS payloads. What kind
>>of adjustments can I make to catch the rest or is it an F-Prot issue?
I've justed this lot on our own systems, using Eudora as the client on a
properly patched Win2k system.
The only one that I am vulnerable to at all is the CLSID extension test,
and even that didn't really work as Eudora showed the entire filename,
including the CLSID. However, if you want to block filenames ending in
CLSID's, add this to your filename.rules.conf (remember to separate the
4 bits of the line with tab characters!):
deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real
extension Files ending in CLSID's are trying to hide their real
extension
The other tests just either failed to do anything at all, or left me
staring at a message window full of (unexecuted) JavaScript which wasn't
very exciting :-)
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list