Hello Simon, On Sunday, October 27, 2002 at 2:03:27 PM you [S] wrote (at least in part):
LJ>> http://www.gfi.com/emailsecuritytest/ has a nice set of test emails LJ>> I'm interested in knowing if the Anti-Virus plugins will catch the LJ>> fragmented email (eicar.com attachment) S> I was testing the AVG plugin with TB! yesterday with eircar.com available S> from here http://www.eicar.org/anti_virus_test_file.htm When I checked my S> mail AVG caught the attached file and created a new quarantine folder in S> TB!, then moved the infected email there before continuing to process other S> incoming mail - So obviously after reassembly but it still gets caught :) OK. Did the very same test. I asked to send me 1.) pure Eicar 2.) fragmented messaage with Eicar I'm using AVG plus it's plugin for The Bat! in Version 9/6.0.408. The two messages came in, the pure Eicar message got 'arrested' in Quarantine folder, the fragmented messages went to my Inbox and got re-assembled _there_. I could see how the message list flickered and 5 messages became one. As I can see on my mail server (or using Mail dispatcher) the fragmented messages are subjected with "eicar.com [1/5]" to "eicar.com [5/5]" The re-assembled message has the (original) subject "Fragmented message vulnerability test (for Outlook Express)" So re-assembling went OK. Nevertheless: this message was _not_ quarantined. Of course I get warned when trying to open the attachment about a virus found. Neverthless: I do in fact wonder how Simon managed it, because I see technical problems with re-assembling and virus scanning. When receiving the messages TB! does not know if all parts are there, therefore it can't re-assemble it to let AVG scan _at receive time_. Therefore only every single part can be scanned then. Now The Bat! would have to reach the reassembled mail to AVG after it put all parts together for the virus becoming recognized and the mail getting quarantined. This re-assembling is done _after_ mails are received, as I could see at the flicker in my message list, but there's no known hook to me in The Bat! that gives the message to an AV-plugin when message list actions are done; the only hook there is at attachment actions like 'save' or 'open'. To avoid problems that might only occur with IMAP I bounced (redirected) the fragmented messages to a POP3 account as well, received them there and had the same result: re-assembling was done after receiving was finished and the separate messages were already visible in message list (therefore after every single one passing the AV-test, as they're put to message list only after passing this test). All in all I don't see a big problem in this, The Bat! still warn's before opening, scans when actually opening and scans too when saving (unless somebody has disabled this options by his own). It does not run an attachment automatically, so one should be relative safe. The problem in fact does only exist 'for real' at clients that re-assemble the message parts and then run the attachment, as Outlook and Outlook Express do. So I wouldn't put to much scream and whining into this issue for current The Bat! versions, but instead make it a strong recommendation for version 2 that The Bat! threads a reassembling of separate like an action of receiving and additionally scans the reassembled message. IMHO it's a pure cosmetic fix that will make version 2 look even more powerful if present but does not increase security _significantly_. Just my experiences and 0.02 ¤ :-) -- Regards Peter Palmreuther (The Bat! v1.62/Beta7 on Windows 2000 5.0 Build 2195 Service Pack 1) What did the lepper say to the hooker? Keep the tip. ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
