GFI email test

This tests various vulnarabilities via email.

http://www.gfi.com/emailsecuritytest

IMON does not catch any problems except eicar (I checked off all the tests).

Could someone please check it out and tell me if I'm missing some settings?

 

Hi Smooth,

This test show you why you need a antivirus for your email

This test send you messages with no payload except for the eicar one. INON detect only active payload so it detects eicar (no realy payload but it is a antivirus test file so it os detected by design).

The other tests try possible vulnerabilities of your email client. If a real payload was used in these tests it would have been detected.

These tests show you or not that is is possible to send you executable file without blocking them in your email client. If you are not patched these executable may be executed automaticaly in some test. In other test it relies on the fact that user do not see the file extensions to make the illusion that the file in a word document for exemple (doc extention).

Again in the test, if a eicar type payload was used, it would have been detected but these tests just show you that you need a antivirus because some bug permit execusion of attachement without user confirmation or by trying to fool the user on the real file nature.

Some firewall, like outpost or zonelarme (pro version) allow to block potentionaly dangerous attachements. Using the last version and fully patched version of Microsoft email clients (Outlook 2002/XP SP2 or Outook Express 6.00.2800.1123) these attachement are blocked by default.

It would be great if IMON had the capability of putting in quarantine some "executable" attachements type (May be next version ).

Blocking pif, exe and scr attachements would prevent many virus/trojan from entering computers. In the last Bugbear.B, blocking pif,scr and exe attachements would have blocked the virus without any pattern update signature. At my work ( we don't use NOD32) I setup the mail server to block all "executable" attachements. The antivirus did not detected the Bugbear.B virus but none user received it because it was blocked on the server. The GFI product does that and a little bit more in filtering. But again if protect you from already known vulnerabilities not the undiscovered one.

Sisko

 

Re:GFI email test: another questions please

hi

it's not really clear

with the bat! and ZAP pro
facts are:
using e-scan antivirus 2003: I got warnings for practically all tests messages
using Kav 4: same (and it created a mailbox: "quarantine" where it transfered some of them); I add that there's a KAV plug-in for the Bat! (auto installed during setup)
using NOD: 1 warning only....but I enjoy the v2 of nod ( speed , doesn't slowdown...even if the exclude option on amon doesn't work!)

question is : WHY, using same config (firewall+email client) are the behaviours so different?
NOD looks fine, but it seems it doesn't make me safe...?

I've read here that NOD is excellent BUT ONLY for virus; email testers consider all other attacks :
ActiveX vulnerability test
CLSID extension vulnerability test
Class ID (CLSID) extensions. more info
GFI's Access exploit vulnerability test
Iframe remote vulnerability test
Malformed file extension vulnerability test (for Outlook 2002)
MIME header vulnerability test (Nimda & Klez testing)
Codebase vulnerability test
VBS attachment vulnerability test


should NOD be backed with another antivirus or another soft that could take care of these non virus attacks? which one ?
so another question is the duo NOD v.2+TDS v.3 enough? what do you suggest ?



Thank you

 

Good points me2.

I tried AVK and almost all of the exploits were caught and I was notified. The problem is, however, that I can really feel the performance hit with AVK and I like the interface to NOD.

But I'm not sure how concerned I need to be over these issues because clearly other AV products are identifying them and notifying us that they are there.

 

Hi,
could you please look what said GFI in each of its messages and tell us the result you have got.

Here is mine :
Using Oulook XP SP2 and NOD32 2.0

VBS attachment vulnerability test : Oultook blocked access to the folowing potentially unsafe attachements: viewthis.jpg.vbs

CLSID extension vulnerability test and CLSID extension vulnerability test (for Outlook 2002 - XP) : Oultook blocked access to the folowing potentially unsafe attachements: {3050f4d8-98b5-11cf-bb82-00aa00bbce0b}

MIME header vulnerability test
GFI's Access exploit vulnerability test
ActiveX vulnerability test
Iframe remote vulnerability test :

xxxxxx vulnerability test has just been
performed on your computer. Opening this mail
automatically activates the test.

If the text file gfi-test.txt appears on your
desktop, then you are vulnerable to attack from
email viruses which use the MIME exploit

No I don't see it so : If you cannot see the file, this means you have an effective client-based email security

Malformed file extension vulnerability test (for Outlook 2002 - XP) : Oultook blocked access to the folowing potentially unsafe attachements: viewthis.hta

Object Codebase vulnerability test :
See screen shot

Eicar anti-virus test :
Detected by NOD32

Multipart Eicar :
Not detected and no way to open it in outlook XP (supported only in Outlook Express)

I'll try with Outlook Express on my home computer later.

Sisko

 

I didn't receive any notification other than the one you received for the eicar attachment.

I'm using PocoMail but it appears that the blocks were conducted by Outlook's security settings.

If I use AVK (with the KAV and RAV engine) then almost all of the emails have a [Virus] in the heading.

If I use NOD then the header remains unchanged and the email is even stamped as checked by NOD32 (when I leave that option on).

 

Yes these a test for vulnerabilities in Outlook, Outlook Express, Internet Explorer. Using other email clients your are not exposed. So when AVK mark the message with a virus, It is a good thing but actualy it is not a virus. If it was, NOD32 will detect it also.

NOD32 could probably be better in dectecting these things too but It will probably be slower. And I preffer it to be fast kwowing that it will not detect all the virus but only all the ITW virus.

The combination of NOD32 Active all the time, KAV or AVK for weekly scans and scan of suspicious files (form Kazaa for exemple) and eventually TDS3 if you want extra security against Trojan is for me (for my usage) the best solution today.


Sisko

 

That sounds reasonable and I partially agree.

My concern stems from the fact that the blocking seems to be coming from Outlook; I can still run the attachments if I click on them and ignore the warning that pops up in PocoMail.

I (hopefully) won't do that but other users on my computer likely will open the attachments if they aren't notified that it's a virus.

For example, exploits like this:

MIME header vulnerability test (Nimda & Klez testing)
This test examines whether your system is protected against emails using the MIME exploit. This test does not apply to IE6 users who have the latest patches installed.

was not identified which leads me to believe I am vulnerable to a Klez and/or Nimba variant.

Am I reaching an incorrect conclusion?

If it's a trade-off between something like that and speed then I would like to know so I can make a decision between which program I'll use for my email checking.

Thanks for chatting with me.

 

Hi Smooth,

It's a pleasure for me too.

After checking the PocoMail web site, I can assure you that you are not vulnerable to the issue of the MINE Header Vulnerability
PocoMail use its own HTML viewer (It don’t use the Internet Explorer component witch may be vulnerable if not upgraded since March 2001).

If the PocoMail was vulnerable and the mail contained the Nimba or Klez virus, IMON would detect it.

The same applies for other vulnerabilities.

You are not vulnerable except if you open the attachments.

If you open it, it depend of the nature of the virus it may or may not be detected by your antivirus (NOD32 or other)

What make NOD32 my first choice, is that it detect these new viruses earlier than others in general. But when I receive a strange attachment with double extension for example (something.doc.pif) and Nod32 did not detect it, I scan it with KAV or others online scans and I send it to ESET for analyzing.

The last one non detect virus I received was Win32/BugBear.B.dammaged. None of the antivirus I used detected it (KAV, McAfee, NOD32, TrendMicro). I sent the file for analyzing to ESET. Not only they released an update but they replied to me that It was added. I think that they added the virus no because I've send them a copy, they probably got their own. But the fact that even at that busy period, they replied to me personally show how seriously they treat their customer.

For attachments except blocking them (has outlook xp do) there is no solutions even with antivirus. Saying that a vbs file is a virus is not the true. Saying that it is a dangerous attachment is right.

I would like to see an option in NOD32 to rename specific attachment extensions to prevent them to be executed. With the added security that the real extension would be displayed and not hidden by Windows Explorer (In its default configuration)

For example receiving a tryme.gif.vbs file, NOD32 IMON would rename it tryme.gifvbs.n32.

If some one at ESET read me, I think it would be a great feature.

Sisko

 

Hi Sisko,

>I would like to see an option in NOD32 to rename specific attachment extensions to prevent them to be executed. With the added security that the real extension would be displayed and not hidden by Windows Explorer (In its default configuration)

Added to the wishlist.

Rgds.,

jan