Re: antivirus plugin with fragmented email

Simon Sun, 27 Oct 2002 10:57:18 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

'Lo,


Well  I  should  have  been  more thorough, so please accept my apologies to
everyone  to  start  with.  Having  both Kapersky and AVG plugins loaded was
confusing matters somewhat, and causing problems as well. I shall explain as
it answers a previous question I asked about multiple plugins use as well.

First: *ONLY* the AVG Plugin installed

The  AVG  plugin only catches the eircar.com virus attachment our of all the
exploits   sent  by  gfi.com.  It  pops  up  a  notification  window  before
quarantining the infected email message:

http://www.netbanger.com/offsite/avgeircar.gif

These are rest of the test files from gfi.com that ended up in my mailbox.

* Object Codebase vulnerability test
* MIME header vulnerability test
* Iframe remote vulnerability test
* ActiveX vulnerability test
* eicar.com [1/5]
* VBS attachment vulnerability test
* CLSID extension vulnerability test
* Malformed file extension vulnerability test (for Outlook 2002 - XP)
* GFI's Access exploit vulnerability test
* CLSID extension vulnerability test (for Outlook 2002 - XP)

You'll  probably notice eicar.com [1/5] in the list, and this message is the
only  part  1  of the 5 fragments to arrive so maybe something to do with my
earlier  expieriences.  However,  after  a  second  poll  to  the server the
remaining   fragments   were   retrieved  and  the  fragmented  message  was
immediately reasembled in the inbox as:

* Fragmented message vulnerability test (for Outlook Express)

In  any  event,  with  *only*  the  AVG  plugin  installed  nothing  but the
eircar.com attachment is detected and quarantined.

Second: *ONLY* the Kapersky Plugin installed

The  Kapersky  plugin  catches 5 of the emails, but also kicks up an error 1
test out of 3:

http://www.netbanger.com/offsite/kaperskyeircar.gif

After  Kapersky  has  quit  the  *quarantine*  folder contains the following
messages:

* CLSID extension vulnerability test (for Outlook 2002 - XP)
* Object Codebase vulnerability test
* MIME header vulnerability test
* Eicar anti-virus test
* Malformed file extension vulnerability test (for Outlook 2002 - XP)

The *inbox* contains the following messages:

* Iframe remote vulnerability test
* VBS attachment vulnerability test
* GFI's Access exploit vulnerability test
* CLSID extension vulnerability test
* ActiveX vulnerability test
* Fragmented message vulnerability test (for Outlook Express)

Third:  *BOTH*  the  AVG (first in list) and Kapersky Plugins installed both
the AVG notification window and the Kapersky error window pop up:

http://www.netbanger.com/offsite/onkpavgeircar.gif

Obviously,  this  indicates  that both plugins are run in succession (in the
snap  AVG  has  focus  because  I  clicked it. The Kapersky window had focus
before that, being that it is second in the plugin list so ran last.

With  both  AVG and Kapersky plugins installed the following files get moved
to the *quarantine* folder:

* CLSID extension vulnerability test (for Outlook 2002 - XP)
* Object Codebase vulnerability test
* MIME header vulnerability test
* Eicar anti-virus test
* Malformed file extension vulnerability test (for Outlook 2002 - XP)

The *inbox* contains the following messages:

* Iframe remote vulnerability test
* VBS attachment vulnerability test
* GFI's Access exploit vulnerability test
* CLSID extension vulnerability test
* ActiveX vulnerability test
* Fragmented message vulnerability test (for Outlook Express)


Conclusion:

Although  AVG catches the eircar.com virus attachment it failed to catch and
quarantine  any  of  the  others.  Kapersky on its own catches only 5 of the
possible  11  (which is expected really I suppose). So there is no advantage
having  both  plugins  installed for one, and second, it seems that either I
have  a  problem  or the Kapersky plugin has a problem. Third, to eventually
get  around  to  the  original  question,  which  I  failed to answer ;), no
scanners  I  tested  detect  virii in fragments, or after fragments had been
reassembled  in the inbox, which is a vulnerability of course. Lastly, using
both  AVG and Kapersky plugins gives unpredictable results. Sometimes all 11
emails  end  up  in  the  inbox,  and  neither scanner manages to quarantine
anything. And that is odd!



- --
Slán,

 Simon @ theycallmesimon.co.uk

_______________________________________
Faffing about with TB! v1.61 on W2K SP3

PGP Key: http://pgp.netbanger.com/

-----BEGIN PGP SIGNATURE-----
Comment: Privacy is freedom. Protect your privacy with PGP!
Comment: KeyID: 0x5C7E8966
Comment: Fingerprint: 851C F927 0296 FF1C 70A2  474F CB6E 6FFE 5C7E 8966

iQA/AwUBPbw2h8tub/5cfolmEQL7fACgzoRP8Ih710J+YwubJaQdPUWOaoYAn2pR
gW+hsDZYK9lgdfJRbn+n+1qx
=kgP7
-----END PGP SIGNATURE-----


________________________________________________
Current version is 1.61 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Re: antivirus plugin with fragmented email

Reply via email to