[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Avecho Glasswall Anti virus technolog?

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Avecho Glasswall Anti virus technolog?
From: "Alex Shipp" <ashipp@messagelabs.com>
Date: Tue, 23 Dec 2003 10:06:26 -0000

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".

I evaluated their product earlier this year, with the view of incorporating
their engine into our services. However, I quickly took the view that it
was not an anti-virus engine (as advertised) but a rewriting content filtering 
engine.

What follows are my deductions from the emails I sent through, and therefore
may not correctly reflect the actual behaviour of the system. Also, it may
well have changed since our tests - we reported all the bugs we found, and
I expect most have been fixed for a while now.

The system attempted to stop all executable content from getting through. Where
an attachment was just executable content, such as an EXE file, it was blocked.
Where the attachment was executable+data, such as an Office document with 
macros,
the attachment was rewritten to remove the executable content, but leave the 
data.
So Office documents had all macros stripped. Similarly, HTML emails containing
'nasty' tags had these stripped. Sometimes the executable could not be stripped,
in which case the email is stopped. For instance, this happened with HTML
emails containing scripts. The rewriting also happens in other cases. For 
instance
BMP files had spurious data at the end of the file removed. TXT documents had
whitespace at the end of line removed. There was also a bug which added a blank
line at the beginning of each text document, but I expect this is fixed now.
Unrecognised files are blocked. So if you send unusual data files, these will 
be stopped. When I tested, they only recognised a few of the most common file
types. For instance, they could cope with ZIP, but not RAR. However, they tell 
me 
they have added hundreds more types since we tested. Also it is fairly easy to 
add
more types, so if you do send unusual data types, these can be added quickly.
Encrypted files count as unrecognised, so sending an encrypted ZIP will
also be stopped. The email itself was also rewritten, presumably to stop
exploits which rely on misformed headers. Text files appeared to be 
statistically
analysed, some random files we sent through were stopped - eg for containing
a 0x7F character or not enough spaces. They tell me that the system is OK with 
foreign languages and signed mail, but we did not test this.

Considering their claim to stop all viruses, their product has at least three 
potential areas we identified where it could be exploited.

Firstly, they need to fully understand all file format they support. Otherwise
an executable can be smuggled in without them realising.

Secondly, they need to be able to be able to recognised malformed MIME.
Otherwise an executable can be smuggled in without them realising.

Thirdly, they need to be able to exactly identify all data files. Otherwise,
an attachment of one type can be smuggled in as an attachment of another type.

The first two areas can be closed by their diligence and hard work; if a hole
becomes known, they can update their code. The third area is (I believe) 
unsolvable.
Some data files are essentially free-format - eg text files, so to determine 
whether a 'text' file is actually execuatable becomes equivalent to solving the 
Halting problem (mentioned by Nick in his email) which is unsolvable.

Although these flaws debunk the 'never let a virus through' claim, my judgement
is that the product will still protect against the common horde of mass mailers,
since these are all in common file formats, using standard MIME, and are fairly 
easy to identify as executable code. Where the user would be most vulnerable  
is to a crafted attack aiming at getting some kind of trojan or other malware
into a specific organisation. 

So, the product was not usable by us - it would have caused a massive false
positive problem, and doesn't really add anything to our offerings, but I think 
there is a market for it for those  companies/individuals who need that 
particular type of content filtering.

Caveat emptor: Avecho are potentially a competitor of ours, so make your own 
judgement on my comments. 

Regards,

Alexs
-----------------------------------------
Alex Shipp
Senior Anti-Virus Technologist
MessageLabs

Company Registration No - 3834506


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by Date: [Full-Disclosure] visa XSS?
Previous by thread: RE: [Full-Disclosure] Avecho Glasswall Anti virus technolog?
Next by thread: [Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow
Index(es):
- Date
- Thread