NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2005-q1

NAI ftp server is case sensitive - GroupShield 5.2 stops updating

From: Richard Carde (rcardeOPTUSHOME.COM.AU)
Date: Thu Jan 13 2005 - 17:52:49 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NAI/McAfee have recently updated their FTP server to be case-sensitive and
this affects GS5.2 updates (via proxy servers).

GS5.2 is configures to request updates from
ftp.nai.com/pub/antivirus/datfiles/4.x. It automatically requests DELTA.INI
(uppercase) from that directory.

From our proxy logs, GS 5.2 make the following request (note the
TCP_MISS/404 errors):

192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.147 text/html

192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.148 text/html

192.168.1.250 TCP_MISS/200 222 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x - DIRECT/208.254.18.147
text/html

The third entry in the proxy log I presume is a directory listing request -
which does not produce a listing I presume because it should have a trailing
'/'. A manual request from a proxy server using telnet shows that only a
host header is returned.

To verify the existence of the file, their FTP server shows the following:

ftp> cd /pub/antivirus/datfiles/4.x
...
ftp> ls
...
150 Opening ASCI mode data connection for /pub/antivirus/datfiles/4.x/.
...
-rw-rw-rw- 1 0 0 1303 Jan 12 10:25 delta.ini

I am reviewing the issue with NAI support now, and am trying to get to the
bottom of it. Has anyone else noticed?

Regards
Richard Carde

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]