webmail test virus

Discussion in 'NOD32 version 2 Forum' started by 12steven, Aug 23, 2005.

Thread Status:
Not open for further replies.
  1. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    anyone ever try this test: http://www.webmail.us/testvirus
    Even my old outlook blocked two of the tests but not a peep out of Nod
    (Im set up the way Blackspear recommends)
     
  2. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Did the files reach your mail-inbox? When I did that test some time ago, my mail providers filtered out most (if not all) test files :)
     
  3. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I checked it and it seems those files are damaged..
     
  4. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    I dont think theyre damaged as such, they just dont want you to save them (Im guessing here)
    Funnily enough the one that did get through to me is the only one that doesnt have 'checked by Nod32 etc..' signature written along the bottom
     
  5. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I got two e-mails...
    first one:
    winmail.dat - is OK
    winmail.dat > TNEF > eicar.com - file has incorrect CRC, may be damaged

    second one (seems like damaged e-mail)..mail body:
    Mime-Version: 1.0
    Content-Type: multipart/mixed;
    BounDary="=====================_307115168==_"

    --=====================_307115168==_
    Content-Type: application/zip; name="eicar.zip"; x-mac-type="705A4950"; x-mac-creator="705A4950"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="eicar.zip"

    UEsDBAoAAAAAAGZGpiw8z1FoRAAAAEQAAAAJAAAARUlDQVIuQ09NWDVPIVAlQEFQWzRcUFpYNTQo
    UF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCpQSwECFAAK
    AAAAAABmRqYsPM9RaEQAAABEAAAACQAAAAAAAAABACAAAAAAAAAARUlDQVIuQ09NUEsFBgAAAAAB
    AAEANwAAAGsAAAAAAA==
    --=====================_307115168==_
    Content-Type: text/plain; charset="us-ascii"; format=flowed

    This message was sent to you because you or someone you know is testing your mail server's virus scanner at: http://www.webmail.us/testvirus

    This test message contains:

    Test #18: EICAR virus within ZIP file hidden using the "Blank Folding Vulnerability" *

    If your mail server's virus scanner did not detect this email, it allows some viruses through! Please note: This test message uses the EICAR test virus, which is completely benign and contains no viral code. For more information see: http://www.eicar.org


    This free test has been provided to you by Webmail.us.


    --=====================_307115168==_--


    __________ Informacia od NOD32 1.1199 (20050822) __________

    Tato sprava bola preverena antivirusovym systemom NOD32.
    http://www.eset.sk
     
  6. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    Re: webmail test

    This one seems to be a fragmentation test (my mistake) but It still doesnt appear to have been scanned by Nod
    I got this attatched file: Virus Scanner Test#23 (720bytes) (50B)

    --=====================_307115168==_
    Content-Type: text/plain; charset="us-ascii"; format=flowed

    This message was sent to you because you or someone you know is testing your mail server's virus scanner at: http://www.webmail.us/testvirus

    This test message contains:

    Test #23: (Non-Virus): Test for the "Partial (Fragmented) Vulnerability". <B>This does not include the EICAR virus</B>, however your mail server should still block this since a virus can use this technique to break itself into multiple emails, bypassing virus scanners, and reassembling itself in your inbox. **

    If your mail server's virus scanner did not detect this email, it allows some viruses through! Please note: This test message uses the EICAR test virus, which is completely benign and contains no viral code. For more information see: http://www.eicar.org


    This free test has been provided to you by Webmail.us.


    --=====================_307115168==_--
     
  7. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    You have set NOD to put messages in your email about scanning?

    Is your email provider using ssl connections (like port 995)?
     
  8. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    all my mail usually has the 'checked by Nod' notification yes. This is the first time Ive ever noticed one without it
    I cant really answer the other two questions as I dont know but I have Port Explorer and the mail comes from my own website with a remote server. I guess I could use the CPanel and go in and find out if I knew how :)
    Shouldnt it have been scanned anyway even if the other two requirements you listed arent applied?
     
  9. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    NOD32 scans all e-mails went through POP3 or all e-mails in Outlook. Even tag is missed.
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    No scanner can scan SSL connections, that's the whole point of using it ;)
     
  11. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    Ive just been inside my site and its Yes to both of your questions

    maybe Im mistaken here but are you saying that we should just take it for granted that all mail is being scanned even if there's no notification? So the notification is for...?

    My mistake. my remote server uses SSL but I use pop3 to retreive it in my outlook
     
  12. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    Maybe Im wrong to worry here but I just find it strange that I never got a notification at the end of the mail like I usually do. Does and CAN Nod scan fragmented email? The attachment arrived in my inbox seemingly untouched and checking my log I find marked in red:
    Time Module Event User
    8/23/2005 9:28:09 AM EMON Attempt to open attachment of email (6) failed (message from "tester@testvirus.org", for "info@xxxxxxxxx.no", with subject "Virus Scanner Test #23", sent on 08/23/2005 9:26). NT AUTHORITY\SYSTEM
    8/23/2005 9:28:09 AM EMON Attempt to open attachment of email (6) failed (message from "tester@testvirus.org", for "info@xxxxxxxx.no", with subject "Virus Scanner Test #23", sent on 08/23/2005 9:26). NT AUTHORITY\SYSTEM
    I may be jumping the gun here but wouldnt an alternative 'unable to scan' notification, maybe in the subject line, be a good idea in cases like this?
     
  13. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    Even if you somehow manage to get the file to your machine, AMON will scan it at access - however, if it's "broken" - ie, non-functional, it might not be detected as a functioning virus.
     
  14. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    I tried the test again with the same results. I think the idea of this particular test is to see if your anti-virus recognizes the mail as a potential threat. I must admit to being pretty much a babe in the wood about all this, and maybe its unfair to expect any AV to pass this test but the reason I purchased Nod in the first place is that it has the best hueristics. Is it unreasonable then to expect the software to at least give you a warning that it was unable to scan a file? I managed to click on the attatchment without having any idea that Nod wasnt able to scan it (unless I scrolled to the end mail to look if the notification 'wasnt there' or checked the logs) This doesnt seem very advanced at all to me but hey, maybe its just my machine and everybody elses passed the test..
     
  15. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I understand your concern, but there is a difference between NOD and other AV vendors. If the file is broken, damaged or not able to damage your system - It will do nothing (minimum false/positives here). Also keep in mind that SSL connections cannot be scanned, untill you actually open the mail on your own computer. The new Thunderbird can make AV's scan SSL connections, but I'm not really sure how this works (yet).
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I tried to test my mail but my IP killed them all before they got to my comp.
     

    Attached Files:

  17. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    Yes I understand all that. I corrected myself earlier about the SSL- I retreive my mail here on to my computer using pop3.
    I understand the thing about the false positives as well and they can be a pain in the but. SpybotS&D has given me 7 today and Im just about ready to uninstall it, but thats freeware and false positives are all part of the business. I dont think we're dealing with that here though. I think this is more a matter of the user interface and personally I'd rather Nod gave me a false positive and put any unscannable mail in quarantine (a bit like ZoneAlarmPro does with any dangerous attachments) than just cross its fingers, turn its back and whistle quietly.
    Im waiting to be corrected though- as I said maybe its just my machine
     
  18. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Re: webmail test

    Here is my summary of files that made it through IMON to my Thunderbird POP3 Inbox, along with explanations:

    Test #5: (BinHex encoding) As far as I know NOD32 does not scan within BinHex files. However, once I open the BinHex attachment with WinZip, it is caught immediately by AMON and moved to quarantine.

    Test #6: (EICAR embedded within another MIME segment) Eicar.com does appear as an attachment. However, once I open or try to save the file, it is immediately caught by AMON.

    Test #7: (EICAR virus sent using uuencoding within a MIME segment) Same as #6.

    Test #8: (EICAR virus sent using BinHex encoding within a MIME segment) Same as #5 and #6.

    Test #13: (EICAR virus within winmail.dat) Thunderbird does not use winmail.dat files. Even though the string for the eicar.com virus is in the middle of the winmail.dat file, the very definition of eicar.com test file states that this string *must* be at the beginning of the file. By definition, therefore, this is not eicar.com. See http://www.eicar.org/anti_virus_test_file.htm for more info.

    Test #16: (EICAR virus hidden using the "CR Vulnerability") The CR Vulnerability is a flaw in unpatched versions of Microsoft Outlook. Basically, it tricks Outlook into thinking that there is an attachment, where there really isn't one. Since there is no valid attachment, NOD32 does not treat it as such, so the "virus" is gibberish. I use Thunderbird, so this does not affect me. For an unpatched version of Outlook, I would think that the eicar.com file would get created, but then it would get caught immediately by AMON.

    Test #18: (EICAR virus within ZIP file hidden using the "Blank Folding Vulnerability") Same basic explanation as #16.

    Test #19: (EICAR virus within ZIP file hidden using the "MIME Boundary Space Gap Vulnerability") This shows up for me as an eicar.zip attachment. I am actually able to save the eicar.zip file to the hard drive, and open it up to find eicar.com. However, once I try to do anything with eicar.com, AMON steps in an quarantines it.

    Test #22: (EICAR virus within ZIP file hidden using the "Empty MIME Boundary Vulnerability") Same basic explanantion as #19.

    Test #23: (Non-Virus): (Test for the "Partial (Fragmented) Vulnerability") There actually is no eicar.com code at all for this one, so there is nothing for NOD32 to catch. It is strictly a test to see whether a mail server will catch this type of e-mail.

    Test #24: (Non-Virus): (Attachment with a CLSID extension which may hide the real file extension) Again, there is no eicar.com code in here for NOD32 to catch. The CLSID extension is used to trick unpatched versions of Outlook and Outlook Express into thinking that this is some sort of executable file. In this particular case, it may appear as a .wav file.



    I do hope this makes you feel better. As I pointed out before, most of the virus e-mails were caught by IMON. Those that weren't were all either caught by AMON later on or had no valid virus code in them to start with.

    Whew. I'm tired. Time for me to go to lunch. ;)
     
    Last edited: Aug 23, 2005
  19. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    I did read the mail yes.
    "..however your mail server should still block this since a virus can use this technique to break itself into multiple emails, bypassing virus scanners"
    This, if correct is a clear vunerability in an email scanner to me and I wonder what kind of scanners Internet providers use to block this threat then? (as most others here seem to have done) If not an AV of some kind what is it? Is it more comprehensive than Nod?
    Anyway, thats not really my point anyway. I wanted to address the 'lack' of notification I am given when Nod fails to scan an email attachment.
    Did YOU read my posts?
     
  20. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Sorry about that. Read my revised post #18.

    Many of these "attachments" are not valid attachments, as defined by the RFC rules. Therefore, NOD32 does not scan them as attachments. If the e-mail client program does indeed process them as attachments, then they will get caught by AMON when they are actually opened.

    The purpose of NOD32 is to check for actual virus code. It is not to check for vulnerabilities that exist within certain e-mail programs. If those vulnerabilities do exist, however, NOD32 will still catch the viruses with AMON.
     
    Last edited: Aug 23, 2005
  21. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    who cares if it can't scan a broken file - the point is a WORKING file must piece back together any elements of code that get through - this working trojan is what needs to be detected, not some theoretical file with no potential to damage your system on it's own.
     
  22. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    OK, I am back from lunch. I think I may have finally figured what you are asking....

    The NOD32 you have on your computer is meant for only one computer. If some potential viruses slip through IMON because they are hidden as invalid attachments, it is not that big a deal. How so? Well, even if you have a vulnerable version of Outlook that opens these invalid attachments, the virus will still be caught by AMON. That is one of the advantages of NOD32's multiple layers of protection.

    Now take the case of a mail server for an ISP. A mail server may service literally thousands of clients. There is no guarantee of what software will be running on these clients. E-mail readers, antivirus programs, etc... they could be anything, or not even be installed at all. In this case, it is useful for the ISP to search for these malformed e-mails as they enter the server, as a service to its customers.

    So to sum up, for an individual computer, NOD32 does not need to scan for malformed messages, because any viruses present will eventually be contained by AMON. On the other hand, for an ISP e-mail server, there is absolutely no guarantee of how the customers' computers will be protected, so additional steps are taken to protect these unprotected users.

    Is this more or less what you are asking?
     
  23. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    Again I would have to say that its not my concern that it wasn’t flagged as a threat. Im more concerned that even when I have my mail scanner on maximum setting Im not warned that there was a failure to scan an email (even the on-demand scanner tells you if its unable to open a file) That’s not why I started this thread.
    As for the part about not detecting it as malicious- Im not qualifed in commenting on this & wont pretend to be but a few people seem intent on bringing this into the argument (a bit of a blackball attempt I suspect) so I’ll play ball and throw this in the air for you- I have personal experience of a Trojan (and who said anything about a Trojan anyway?) shutting down my AV before I could even use it. Admittedly it was a KAV but Im sure Nod isn’t totally invinceable in this regard and wouldn’t claim to be. If it’s a way to get past a scanner and assemble a working code then surely this is a potential threat? And if half of the worlds IPs recognize it as such then why doesn’t Nod?
    & ‘who cares?’ you say. Well it seems quite a lot of these IPs do as they choose to block the recipients of this kind of mail from getting into peoples mailbox in the first place
    Anyway Ive said all I wanted to say and I wish you all God Natt (Its quite late here in Norway) :)
     
  24. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    It is not a deliberate blackball attempt on my part. I am just kind of slow understanding the question. :ninja:

    I see four separate issues with Test #23. Let me know if you agree or disagree:
    1. Does NOD32 actually stop a virus that is delivered this way?
    2. Should NOD32 prevent all e-mail from being delivered this way, in general?
    3. Why does NOD32 encounter errors when trying to scan these attachments?
    4. Should NOD32 give popup error messages for the "failed to scan attachments"?

    As a bit of background for others, this type of e-mail attachment is used when one has a large attachment, and one wants to break it up into smaller pieces. The smaller pieces get sent as several different messages, then they get reassembled at the e-mail program on the receiving computer. Not all e-mail programs support this, however. The danger, of course, is that a virus could be split up this way and sneak through antivirus filters, only to be reassembled at the end.

    For Outlook Express 6, go to Tools --> Accounts --> Mail --> (choose your e-mail account) --> Properties --> Advanced --> Sending --> "Break apart messages larger than xxxx kB". I am sure it is something similar for Outlook.

    As a nonvirus test case, just to see how this works, I created an e-mail with an attachment of cpu-z-126.zip in Outlook Express. When I send it, a single "test" message goes to me Sent folder. However, when I receive it, I get this:

    1 message in Inbox titled "test"
    7 messages in Deleted Items"
    test cpu-z-126.zip [1/7]
    test cpu-z-126.zip [2/7]
    test cpu-z-126.zip [3/7]
    test cpu-z-126.zip [4/7]
    test cpu-z-126.zip [5/7]
    test cpu-z-126.zip [6/7]
    test cpu-z-126.zip [7/7]

    So what it looks like happens is that Outlook Express receives the individual pieces, puts them together into a single message, and then discards all the pieces. I will have to turn on the "This e-mail has been scanned by NOD32" footer in IMON, to see if it scans the 1 big attachment at the end, or the 7 little attachments in the middle.

    This could explain the "failed to scan attachment" messages, though. The individual attachments may have been locked by Outlook, as it was reconstructing the one big attachment. When Outlook was finished with them, it deleted the little messages, so EMON never got the scan them. Maybe. I do not have Outlook, so I cannot test this.

    I did find this at Zone-H.org about scanning these messages for viruses, and for this type of attachment in particular. It seems that in general, scanning for blocking this type of attachment happens mainly at the e-mail server/gateway level, not at the desktop.

    http://www.zone-h.com/en/news/read/id=839/

    Here is a quote about Symantec's approach, from that article:
    To me, the client approach sounds similar to Eset's strategy. For the server approach, this would depend on how XMON (for Microsoft Exchange) and the NOD32 plugin for Kerio Mail Server work. I honestly do not know the answer to that.

    Well, it is time for me to go eat dinner now. I hope you had a good night's sleep. :D
     
Thread Status:
Not open for further replies.