GFI email test

Discussion in 'NOD32 version 2 Forum' started by Smooth, Jun 14, 2003.

Thread Status:
Not open for further replies.
  1. Smooth

    Smooth Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    16
    This tests various vulnarabilities via email.

    http://www.gfi.com/emailsecuritytest

    IMON does not catch any problems except eicar (I checked off all the tests).

    Could someone please check it out and tell me if I'm missing some settings?
     
  2. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Hi Smooth,

    This test show you why you need a antivirus for your email ;)

    This test send you messages with no payload except for the eicar one. INON detect only active payload so it detects eicar (no realy payload but it is a antivirus test file so it os detected by design).

    The other tests try possible vulnerabilities of your email client. If a real payload was used in these tests it would have been detected.

    These tests show you or not :D that is is possible to send you executable file without blocking them in your email client. If you are not patched these executable may be executed automaticaly in some test. In other test it relies on the fact that user do not see the file extensions to make the illusion that the file in a word document for exemple (doc extention).

    Again in the test, if a eicar type payload was used, it would have been detected but these tests just show you that you need a antivirus because some bug permit execusion of attachement without user confirmation or by trying to fool the user on the real file nature.

    Some firewall, like outpost or zonelarme (pro version) allow to block potentionaly dangerous attachements. Using the last version and fully patched version of Microsoft email clients (Outlook 2002/XP SP2 or Outook Express 6.00.2800.1123) these attachement are blocked by default.

    It would be great if IMON had the capability of putting in quarantine some "executable" attachements type (May be next version ;) ).

    Blocking pif, exe and scr attachements would prevent many virus/trojan from entering computers. In the last Bugbear.B, blocking pif,scr and exe attachements would have blocked the virus without any pattern update signature. At my work ( :( we don't use NOD32) I setup the mail server to block all "executable" attachements. The antivirus did not detected the Bugbear.B virus but none user received it because it was blocked on the server. The GFI product does that and a little bit more in filtering. But again if protect you from already known vulnerabilities not the undiscovered one.

    Sisko
     
  3. me2

    me2 Guest

    Re:GFI email test: another questions please

    hi

    it's not really clear

    with the bat! and ZAP pro
    facts are:
    using e-scan antivirus 2003: I got warnings for practically all tests messages
    using Kav 4: same (and it created a mailbox: "quarantine" where it transfered some of them); I add that there's a KAV plug-in for the Bat! (auto installed during setup)
    using NOD: 1 warning only....but I enjoy the v2 of nod ( speed , doesn't slowdown...even if the exclude option on amon doesn't work!)

    question is : WHY, using same config (firewall+email client) are the behaviours so different?
    NOD looks fine, but it seems it doesn't make me safe...?

    I've read here that NOD is excellent BUT ONLY for virus; email testers consider all other attacks :
    ActiveX vulnerability test
    CLSID extension vulnerability test
    Class ID (CLSID) extensions. more info
    GFI's Access exploit vulnerability test
    Iframe remote vulnerability test
    Malformed file extension vulnerability test (for Outlook 2002)
    MIME header vulnerability test (Nimda & Klez testing)
    Codebase vulnerability test
    VBS attachment vulnerability test


    should NOD be backed with another antivirus or another soft that could take care of these non virus attacks? which one ?
    so another question is the duo NOD v.2+TDS v.3 enough? what do you suggest ?



    Thank you
     
  4. Smooth

    Smooth Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    16
    Good points me2.

    I tried AVK and almost all of the exploits were caught and I was notified. The problem is, however, that I can really feel the performance hit with AVK and I like the interface to NOD.

    But I'm not sure how concerned I need to be over these issues because clearly other AV products are identifying them and notifying us that they are there.
     
  5. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Hi,
    could you please look what said GFI in each of its messages and tell us the result you have got.

    Here is mine :
    Using Oulook XP SP2 and NOD32 2.0

    VBS attachment vulnerability test : Oultook blocked access to the folowing potentially unsafe attachements: viewthis.jpg.vbs

    CLSID extension vulnerability test and CLSID extension vulnerability test (for Outlook 2002 - XP) : Oultook blocked access to the folowing potentially unsafe attachements: {3050f4d8-98b5-11cf-bb82-00aa00bbce0b}

    MIME header vulnerability test
    GFI's Access exploit vulnerability test
    ActiveX vulnerability test
    Iframe remote vulnerability test
    :

    xxxxxx vulnerability test has just been
    performed on your computer. Opening this mail
    automatically activates the test.

    If the text file gfi-test.txt appears on your
    desktop, then you are vulnerable to attack from
    email viruses which use the MIME exploit


    No I don't see it so : If you cannot see the file, this means you have an effective client-based email security

    Malformed file extension vulnerability test (for Outlook 2002 - XP) : Oultook blocked access to the folowing potentially unsafe attachements: viewthis.hta

    Object Codebase vulnerability test :
    See screen shot

    Eicar anti-virus test :
    Detected by NOD32

    Multipart Eicar :
    Not detected and no way to open it in outlook XP (supported only in Outlook Express)

    I'll try with Outlook Express on my home computer later.

    Sisko
     

    Attached Files:

  6. Smooth

    Smooth Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    16
    I didn't receive any notification other than the one you received for the eicar attachment.

    I'm using PocoMail but it appears that the blocks were conducted by Outlook's security settings.

    If I use AVK (with the KAV and RAV engine) then almost all of the emails have a [Virus] in the heading.

    If I use NOD then the header remains unchanged and the email is even stamped as checked by NOD32 (when I leave that option on).
     
  7. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Yes these a test for vulnerabilities in Outlook, Outlook Express, Internet Explorer. Using other email clients your are not exposed. So when AVK mark the message with a virus, It is a good thing but actualy it is not a virus. If it was, NOD32 will detect it also.

    NOD32 could probably be better in dectecting these things too but It will probably be slower. And I preffer it to be fast kwowing that it will not detect all the virus but only all the ITW virus.

    The combination of NOD32 Active all the time, KAV or AVK for weekly scans and scan of suspicious files (form Kazaa for exemple) and eventually TDS3 if you want extra security against Trojan is for me (for my usage) the best solution today.


    Sisko
     
  8. Smooth

    Smooth Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    16
    That sounds reasonable and I partially agree.

    My concern stems from the fact that the blocking seems to be coming from Outlook; I can still run the attachments if I click on them and ignore the warning that pops up in PocoMail.

    I (hopefully) won't do that but other users on my computer likely will open the attachments if they aren't notified that it's a virus.

    For example, exploits like this:

    MIME header vulnerability test (Nimda & Klez testing)
    This test examines whether your system is protected against emails using the MIME exploit. This test does not apply to IE6 users who have the latest patches installed.


    was not identified which leads me to believe I am vulnerable to a Klez and/or Nimba variant.

    Am I reaching an incorrect conclusion?

    If it's a trade-off between something like that and speed then I would like to know so I can make a decision between which program I'll use for my email checking.

    Thanks for chatting with me.
     
  9. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Hi Smooth,

    It's a pleasure for me too.

    After checking the PocoMail web site, I can assure you that you are not vulnerable to the issue of the MINE Header Vulnerability
    PocoMail use its own HTML viewer (It don’t use the Internet Explorer component witch may be vulnerable if not upgraded since March 2001).

    If the PocoMail was vulnerable and the mail contained the Nimba or Klez virus, IMON would detect it.

    The same applies for other vulnerabilities.

    You are not vulnerable except if you open the attachments.

    If you open it, it depend of the nature of the virus it may or may not be detected by your antivirus (NOD32 or other)

    What make NOD32 my first choice, is that it detect these new viruses earlier than others in general. But when I receive a strange attachment with double extension for example (something.doc.pif) and Nod32 did not detect it, I scan it with KAV or others online scans and I send it to ESET for analyzing.

    The last one non detect virus I received was Win32/BugBear.B.dammaged. None of the antivirus I used detected it (KAV, McAfee, NOD32, TrendMicro). I sent the file for analyzing to ESET. Not only they released an update but they replied to me that It was added. I think that they added the virus no because I've send them a copy, they probably got their own. But the fact that even at that busy period, they replied to me personally show how seriously they treat their customer.

    For attachments except blocking them (has outlook xp do) there is no solutions even with antivirus. Saying that a vbs file is a virus is not the true. Saying that it is a dangerous attachment is right.

    I would like to see an option in NOD32 to rename specific attachment extensions to prevent them to be executed. With the added security that the real extension would be displayed and not hidden by Windows Explorer (In its default configuration)

    For example receiving a tryme.gif.vbs file, NOD32 IMON would rename it tryme.gifvbs.n32.

    If some one at ESET read me, I think it would be a great feature. :)

    Sisko
     
  10. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi Sisko,

    >I would like to see an option in NOD32 to rename specific attachment extensions to prevent them to be executed. With the added security that the real extension would be displayed and not hidden by Windows Explorer (In its default configuration)

    Added to the wishlist. :)

    Rgds.,

    jan
     
Thread Status:
Not open for further replies.