Re: PenTesting Email AntiVirus

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: Fri May 17 2002 - 17:24:31 EDT


I think no matter what you do, you can never stay abreast of new viruses keep popping every now and then, even if you have a virus scanning email server, It's more likely that a new virus will pass through beause it's very new or maybe your virus signature file is not updated.
I think one should only expect *many* virus emails to be scanned and rejected or whatever via email server, but STILL take great care *as usual to not to recieve and run an .exe/.com/.bat/.vbs etc. files* recieved via email.

-back to the pen-testing point, well yeah sending viruses as .ppt and as excel files is another way, but you can also try sending it in .tgz / .tar / .cpio / .uu (uuencoded) / .avi / .mpg formats.

This will check that whether the antivirus scans only .exe files for known virus signatures or does it check every attachment?

anyways , Goodluck!

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------

--- "Rainer Duffner" <rainer@ultra-secure.de> wrote:
>Ilici Ramirez writes:
>
>> Hello,
>>
>> What ways do you know to pen-test email antivirus
>> software?
>
>I'd try to pack various combinations of different file-formats into
>each other (OLE-container).
>E.g., if they have disabled .exe to enter or leave the LAN, try sticking
>it into an Excel or PPT-file.
>It should not work, but that's what you're supposed to find out.
>;-)
>Of course, with webmail-over-https this is 80% pointless nowadays...
>
>
>> A cool one that has been published before is to zip a
>> very large file that contains the same character. The
>> result, a very small file attached to an email could
>> deplete resources on the antivirus server. Do you know
>> any AV exploitable with this?
>
>It's called 42.zip and there has been a discussion about this once in a
>while. Search the archives.
>
>
>cheers,
>Rainer
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Rainer Duffner Munich
>rainer@ultra-secure.de Germany
>http://www.i-duffner.de Freising
>========================================
> When shall we three meet again
> In thunder, lightning, or in rain?
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT