OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NAI WebShield SMTP does not scan base64 encoding
From: chris.pagetANALYSYS.COM
Date: Tue Jun 20 2000 - 13:52:28 CDT

MS-TNEF is not used at any point in the process; neither is Outlook,
nor Rich Text. The messages are plain text (a renamed copy of my
autoexec.bat) being sent using Forte Agent - nothing Microsoft. The
MIME types I have tried include application/octet-stream and
text/plain - in neither case is the VBS / SHS file blocked. The only
difference that I can see between this setup and another machine using
Outlook (from which messages get blocked) is the encoding type -
base64 instead of 8bit.
If the attachment is indeed a known virus, it appears to be detected
and cleaned; however, I am trying to block ALL potentially malicious
attachments, and base64 encoding appears to circumvent those checks.

Chris 

-- 
Chris Paget
Software Engineer, Analysys LTD.

chris.pagetanalysys.com
mad.nuttermindless.com

On Tue, 20 Jun 2000 14:37:46 -0400, you wrote:

>Chris,
>This problem is not caused by base64 encoding. It is caused by the message
>being encoded in MS-TNEF (Microsoft Transport Neutral Encapsulation Format.)
>and then getting base64 encoded. MS-TNEF is used when Outlook sends Rich
>Text information over the Internet.
>
>NAI knows that this is a problem but they have been unable to fix it. Here's
>my message to NAI and their response.
>-------------------------------
>		-----Original Message-----
>		From:	Jon
>		Sent:	Tuesday, May 09, 2000 7:55 PM
>		To:	Fronck, Destry
>		Subject:	RE: Webshield smtp 4.03 virus gateway
>
>		Destry,
>
>			I talked to the Webshield guys and they said you are
>completely correct. Not only that but NO company can scan those files
>including ours. They did provide an article that may be of help to you.
>
>		 <<WebShield_MS-TNEF.doc>> 
>
>		Thanks
>
>		
>		Jon
>		--------------------------------------
>		Network Associates
>		Who's watching your network?
>		-------------------------------------
>
>				 -----Original Message-----
>				From: 	Fronck, Destry
>[mailto:DFronckFDIC.gov] 
>				Sent:	Monday, May 08, 2000 7:38 AM
>				To:	Jon
>				Cc:	FDIC-CSIRT
>				Subject:	Webshield smtp 4.03 virus
>gateway
>				Importance:	High
>
>				Jon, I have discovered a problem with the
>WebShield smtp 4.03 virus gateway for NT. We have had several instances of
>the ILOVEYOU virus getting past the virus gateway. All of these were
>detected by the VShield 4.03 desktop scanner. Both products are running the
>same dat files; 4076 and the latest extra.dat.
>
>				The problem is that the gateway does not
>appear to scan MS-TNEF (Microsoft Transport Neutral Encapsulated Format)
>content. This content is typically encapsulated in MIME like so
>
>				------_=_NextPart_000_01BFB8C1.7FC25C8A
>				Content-Type: application/ms-tnef
>				Content-Transfer-Encoding: base64
>
>				Can you verify this?
>				Does WebShield 4.5 fix this? Can you verify
>this?
>
>				Thanks,
>				 Destry Fronck
>-----------------------------------------------
>Thanks,
> Destry Fronck
>
>-----Original Message-----
>From:	chris.pagetANALYSYS.COM [mailto:chris.pagetANALYSYS.COM]
>Sent:	Tuesday, June 20, 2000 9:08 AM
>To:	BUGTRAQSECURITYFOCUS.COM
>Subject:	NAI WebShield SMTP does not scan base64 encoding
>
>While investigating todays virus outbreak (Stages.Worm), I noticed
>that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
>DAT 4.0.4082, 14/06/00) was not picking up all attachments.  
>The server is configured to block all SHS, VBS, etc attachments, and
>notify the sender.  However, when these are sent as Base64 encoding
>(rather than 8-bit), they are passed by the server, and could
>potentially infect the network.  8-bit attachments are successfully
>scanned (and blocked if necessary).
>
>Chirs