Help in testing AV Plugins
John Rudd
jrudd at UCSC.EDU
Fri Dec 5 22:02:44 GMT 2003
(I'm cc'ing this to the MailScanner list so that they can run the tests
and maybe incorporate these results into their future versions; while I
don't care about Outlook, I'm sure others do, and 4/7 of the Outlook
tests did get through)
Stefan Seiz wrote:
>
> Hi,
>
> over on the cgvirusscan list, someone was just running some tests against
> our little self made av-scanner which uses Mcafee Virex. It failed on quite
> some of the test viruses.
>
> I'd be interessted if anyone on this list could specificaly run these tests
> using the *real* CommuniGate McAfee Plugin. It'd also be interresting to
> know how the other AV Plugins are doing with the tests.
>
> Here's the url to the tests:
> <http://www.testvirus.org/>
>
What I use:
MailScanner-4.24-5 (with cgp2ms/ms2cgp) and sophos 3.74 w/current IDE's
(the sophos AV/savi engine through MailScanner's sophos-wrapper, not via
the CGP plug-in) (my IDE update script runs every night at midnight, so
my IDE's are current as of last night at 12am Pacific time). I did all
of the tests on that page, including the outlook ones.
Here's what made it through:
- Eicar virus sent using BinHex encoding
- Outlook 'Space Gap' vulnerability
- Outlook 'Blank Folding' Vulnerability
- Outlook 'Boundary Space Gap' Vulnerability
- Outlook 'Long Boundary' Vulnerability
Here's what showed up in my virus folder (with infections removed and
replaced by warnings):
- Eicar virus sent using BinHex encoding within a MIME segment
- (one with a fragmented message, which I think is the
second-to-the-last Outlook one, but the message itself was removed and
only the warning was present)
- A file with a CLSID extension which may hide the real file extension
So, those had been cleaned, but got through because they weren't
technically viruses according to which MailScanner rules had blocked
them (they were blocked because they had dangerous formatting, which was
triggered before it determined whether or not they had viruses). The
first was blocked because it was a .com file, and we block .com files.
The second was blocked because we block fragmented messages. The third
was blocked because we block attachments that appear to have multiple
file extensions (like foo.txt.exe) because that can mean it's someone
trying to sneak an executable through.
(and when I say "we block", I mean "we have configured MailScanner to
block")
ALL of the other messages were completely removed, they never even made
it to my virus folder.
So, 1/20 that I care about got through. 5/20 could have deployed their
payload (4 of those on Outlook, where my standard response is "that's
what you get for using Outlook"). 12/20 were silently deleted.
Seems decent. There's a little room for improvement, though. It would
be nice if MailScanner had been able to open up the BinHex attachment,
but it may be that MailScanner expects the AV engine to take that into
account. I'm not sure.
Unlike John Radel, my MailScanner (using Sophos instead of F-Prot) _DID_
block the "Eicar virus sent using BinHex encoding within a MIME segment"
one. That might be because of MailScanner versions, or it might be
because it really is an AV engine issue (where John Radel thought it was
probably more of a MailScanner issue).
John
More information about the MailScanner
mailing list