WG and GFI Email Security Testing

Discussion in 'WormGuard' started by Bouch, May 6, 2002.

Thread Status:
Not open for further replies.
  1. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    I thought that I would give Wormguard and NAV2002 a workout by using the GFI Email Security Testing available here: http://www.gfi.com/emailsecuritytest/ This site provides several tests as follows:

    VBS attachment vulnerability test
    CLSID extension vulnerability test
    MIME header vulnerability test (Nimda testing)
    ActiveX vulnerability test (works only on IE5.5)
    GFI's Access exploit vulnerability test
    CLSID extension vulnerability test (for Outlook 2002)
    Malformed file extension vulnerability test (for Outlook 2002)

    Between them, Wormguard and NAV did an excellent job: however, the MIME test was a bit of a surprise (for me anyway). The test site indicates that the MIME exploit makes use of a malformed MIME header and an IFRAME tag to trick Outlook Express into running an attached VBS file. I was hoping that Wormguard would recognize the VBS attachment (as it did in the case of the VBS attachment vulnerability test); however, it did not do so. In truth, the MIME exploit with its attached VBS file did succeed when I chose to open the VBS attachment at the prompt. Anybody else try this? Outcome?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The vbs and mime i received were blocked by the email scanner and WG so..... maybe something in your settings?
    Updated IE/OE to the latest with the security updates?
     
  3. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    I'm using IE6 with Outlook Express, and all patches have been installed. With the MIME exploit, I simply found it curious that the Outpost firewall was able to indentify and warn me about the vbs attachment when the email arrived, but Wormguard allowed me to open it with no warning. My workaround was to change Outpost's attachment filter configuration so that it both reports the vbs attachment and renames it with a .safe extension. Then, even if I proceed to open it, Wormguard jumps all over it as a file with two extensions; however, I can at least view it in safe mode. I'm attempting to make all as secure as possible since I have two grown "children" plus a grandson who use my computer from time to time, and none is quite as security conscious as I would like. Regards.

    Bob
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad you found that workaround, hope they do stop them in all cases!
    I had the feeling there were differences between the files opening when touching the email --the open or save message-- or after clicking the paperclip in the preview window.
    Good to try such tests, thanks very much for the link!
    Hope you were able to block them all!
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Bob/Jooske

    I did the same test. Passed with all. Running IE/OE6 with all patches, etc. [well at least as far as I know, the bloody 'Windows Update' is now in new format and not working for me].

    WG grabbed 4 [I think] and my security settings simply blocked the rest or they failed [since using IE6 was a negator in some of the tests as it is more secure]

    Tas
     
Thread Status:
Not open for further replies.