Reported to NAI first time 26.11.2001, again 27.11.2001 and every day after that. NAI response is at the end of this mail. NAI WebShield SMTP for NT 4.5mr1a passes (at least in some configurations) attachments through without virus check or content filter check based on attachment name. One such attachment is BadTrans virus. ENVIROMENT WinNT4srv, sp6a, secrollup + few other hotfix, WebShield for NT 4.5 or 4.5mr1a this can be reproduced with fresh installation. DESCRIPTION Main problem is that mail (send by virus) containing BadTrans.b virus will pass WebShield. Forwarding same mail outside will result positive identification of BadTrans virus. If WebShield has content filter saying all messages that has scr (or pif) in attachment name has to be blocked, this rule does not apply either. It seems that NAI WebShield SMTP for NT can't handle all mime headers properly. One example is below. WebShield can't parse this and it does not realize that message has attachment. And because it does not realize there is attachment it won't check it for viruses or against attachment name. ----SNIP---- Received: FROM xxx.xxx.xxx BY xxx.xxx.xxx ; Mon Nov 26 20:36:21 2001 +0200 Received: from xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:35428 "EHLO xxx.xxx.xxx") by xxx.xxx.xxx with ESMTP id ; Mon, 26 Nov 2001 16:01:32 +0200 Received: from xxx.xxx (xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx]) by xxx.xxx.xxx (8.11.4/8.11.2) with SMTP id fAQE1Rc16568 for ; Mon, 26 Nov 2001 16:01:27 +0200 (EET) Date: Mon, 26 Nov 2001 16:01:27 +0200 (EET) Message-Id: <200111261401.fAQE1Rc16568@xxx.xxx.xxx> From: "BadMail" To: j.doe@example.com Subject: Re: CV MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -------- Original Message -------- From: - Thu Nov 29 15:09:24 2001 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 BCC: "jari.helenius" <jari.helenius@kolumbus.fi> Message-ID: <3C063383.5090508@mawaron.com> Date: Thu, 29 Nov 2001 15:09:23 +0200 From: Jari Helenius <jari.helenius@mawaron.com> Organization: Mawaron Oy User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001108 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: vuldb@securityfocus.com Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="NEWS_DOC.DOC.scr" Content-Transfer-Encoding: base64 Content-ID: *****ATTACHMENT REMOVED****** --====_ABC1234567890DEF_==== ----SNIP---- FIXAROUND Adding rule in content filter that says if you find mail containing audio/x-wav in body of message will stop those messages. Virus is still not found, but messages will be blocked. This will block also all other messages with audio/x-wav in text and all messages that has mime header that WebShield does not understand. OTHER INFORMATION Needless to say, yes we have latest dat, latest engine, compress checks, all heuristic on and so on... It is sad to find out that AV vendor does not care problems they have. In the other hand, what else can be expected from company that have following policy. If we find problems in our products or if we have hotfix, we will not inform anyone what we have nor put these fixes available (not even readme:s). If a customer can describe problem that we have already fixed, we might send fix to them if we are in good mood. :-) Yours Jari Helenius Mawaron Oy jari.helenius@mawaron.com NAI response and snip of my mail that they responded NAI RESPONSE ---SNIP--- Dear Jari, Thank you for the sample. We have determined that this is a known virus which can be detected and removed. There may be a problem with WebShield catching this virus. The first thing we would suggest is to upgrade to 4173 DAT which has improved detection capability. If this doesn't help, we recommend that you get in touch with Technical Support as this is a product issue and it does need to be addressed and investigated. The address to send this kind of issues to is: tech-support-europe@nai.com ---SNIP--- Part of my mail they responded to ---SNIP--- I know that this virus can be identified and removed with current dat. (we are using WebShield SMTP 4.5mr1a with latest dat and engine and all heuristic all attachments and compact options). If I forward received mail that has this virus it will be found. Problem is that Webshield does not recognize that mail has attachment. It does not check it; it does not catch it in content filter. And if it does not recognize that mail has attachment it does not stop this mail. We have verified 12 passed viruses (all with similar headers), 5 deferred mails (when we stopped mail inside of our network and did let webshield check incoming mails, sample was one of those mails. ---SNIP---
