Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: hack2770.htm

eSafe: Could this be exploited?
eSafe: Could this be exploited?


I had a bit of a chat with Aladdin support regarding the odd results I had
with their network virusscanner (aka: eSafe). (see also: 

Both as NitroEngine or CVP server they will push as much of 80% to the
end-user before they stop a virus. Then they rely on the adding of the
exact URL so that URL can be blocked in all next requests.

If it is a first time hit you can get as much as 80% of the payload on
your machine and while they may reset the tcp stream at least IE does
store the 80% chunk as if the file was transfered correctly. (This part I
tested with over 30 different virus files.)

First off this is extremely confusing to the user who just thinks (s)he
just had a virus passing their scanner. (And they are about 80% right.)

Then the chunk may contain enough to trigger another scanner which may
reside on the desktop of said user adding further to the belief this is
not a good product.

But what if I were to write a really small harmfull virus (say less then 2
ethernet packets)? Or create it in such way that the last 20 to 25% is
expendible without loosing it's sting?

Is someone able to verify such a virus may work? (I am not a programmer so
I can think of the potential breach but I can't verify it is exploitable.)

I have a felling it is just a matter of time before such a scanner will be


 All email sent to me is bound to the rules described on my homepage. 
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH