More Interscan Viruswall stuff

Subject: More Interscan Viruswall stuff
From: john lampe (johnlampeHOTMAIL.COM)
Date: Tue Jan 18 2000 - 08:17:18 CST

• Next message: Michael Howard: "IIS still revealing paths for web directories"
• Previous message: John Comeau: "Re: tcpdump under RedHat 6.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was posted, Dec 27th, that Interscan Viruswall would allow virus-infected
attachements to pass when an additional "=" was appended to end of Base64
message. Along a similar vein numbers 1 through 3 below will also allow
virus-infected attachements to pass right
by Interscan Viruswall.
1) adding a "-" to the end of base64 message
2)changing content-type application type in the header Example,
   Content-type: Application/FOO;
   name="whatever.doc"
3) Adding an extra "-" at end of base64 boundary

3 methods above were tested and verified on NT running the latest engine
from Trend Micro, along with the latest patch. At least one of the methods
above (Number 1) was tested and verified on a Solaris box by Kris Herrin
(the original poster). 3 methods above were chosen *at random* from RFC
2045. Vendor was notified. Patch was promised by Wed. of last week. Trend
Micro patches can be found at
http://www.antivirus.com/download/patches/default.htm . RFC 2045 can be
found at http://www.ietf.org/rfc/rfc2045.txt

John Lampe

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

• Next message: Michael Howard: "IIS still revealing paths for web directories"
• Previous message: John Comeau: "Re: tcpdump under RedHat 6.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Tue Jan 18 2000 - 12:30:59 CST