eSafe Gateway uses a default value of 80% file download before first inspection of executable files from HTTP servers. This value can be changed to as low as 5% if desired.
We feel that the 80% gives a good balance between user experience and security needs. Customers would usually want to see a fast moving download progress bar. If we set the value to 5% - the progress bar will move just a little bit (5%) when downloading and the remaining 95% very fast as eSafe finishes the inspection. This annoys users.
The customer has a choice - better security or better user experience (let's also remember that currently there are no real viruses in the wild that have used such methods).
Testing this technique with EICAR is very specific as EICAR is not like typical real viruses; it is only a few bytes in length.
In any case, if a future virus that can cause damage even when only a few bytes are downloaded is discovered, eSafe has the right technology to identify and block it. We can even automatically change customer configuration to do so if needed.
eSafe is known for innovative security features so this subject will be further investigated in search of even more security enhancements.
Regards,
Ofer Elzam, CISSP
eSafe Product Manager
Dear Hugo van der Kooij,
--Friday, July 23, 2004, 10:21:22 PM, you wrote to bugtraq securityfocus com:
HvdK> Both as NitroEngine or CVP server they will push as much of 80% to the
HvdK> end-user before they stop a virus. Then they rely on the adding of the
HvdK> exact URL so that URL can be blocked in all next requests.
It depends on how antiviral check is actually implemented. If connection
is broken immediately after signature is detected - there is no way to
download infected file, because signature will not pass to client and
client will not be able to use "Range:" header to resume partially
downloaded file.
If antiviral filter checks data _after_ all data received from client
with 20% buffering yes, it's possible to bypass this check for HTTP,
because there is no way (at least for HTTP/1.0 and FTP) to indicate
error to client and make him to delete partially downloaded data.
You can check it, by sending EICAR with some additional data: if you can
find EICAR signature on the client after connection is broken by
antiviral filter you can bypass it's protection.
--
~/ZARAZA
Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ,
à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì)
eSafe Gateway uses a default value of 80% file download before first inspection of executable files from HTTP servers. This value can be changed to as low as 5% if desired.
We feel that the 80% gives a good balance between user experience and security needs. Customers would usually want to see a fast moving download progress bar. If we set the value to 5% - the progress bar will move just a little bit (5%) when downloading and the remaining 95% very fast as eSafe finishes the inspection. This annoys users.
The customer has a choice - better security or better user experience (let's also remember that currently there are no real viruses in the wild that have used such methods).
Testing this technique with EICAR is very specific as EICAR is not like typical real viruses; it is only a few bytes in length.
In any case, if a future virus that can cause damage even when only a few bytes are downloaded is discovered, eSafe has the right technology to identify and block it. We can even automatically change customer configuration to do so if needed.
eSafe is known for innovative security features so this subject will be further investigated in search of even more security enhancements.
Regards,
Ofer Elzam, CISSP
eSafe Product Manager
Dear Hugo van der Kooij,
--Friday, July 23, 2004, 10:21:22 PM, you wrote to bugtraq securityfocus com:
HvdK> Both as NitroEngine or CVP server they will push as much of 80% to the
HvdK> end-user before they stop a virus. Then they rely on the adding of the
HvdK> exact URL so that URL can be blocked in all next requests.
It depends on how antiviral check is actually implemented. If connection
is broken immediately after signature is detected - there is no way to
download infected file, because signature will not pass to client and
client will not be able to use "Range:" header to resume partially
downloaded file.
If antiviral filter checks data _after_ all data received from client
with 20% buffering yes, it's possible to bypass this check for HTTP,
because there is no way (at least for HTTP/1.0 and FTP) to indicate
error to client and make him to delete partially downloaded data.
You can check it, by sending EICAR with some additional data: if you can
find EICAR signature on the client after connection is broken by
antiviral filter you can bypass it's protection.
--
~/ZARAZA
Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ,
à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì)
[ reply ]