On Wed, 6 Dec 2006, Hendrik Weimer wrote: > Several e-mail virus scanners can be tricked into passing an EICAR > test file if the following conditions are met: > > 1. the EICAR file is encoded in Base64 including characters not in the > standard alphabet (e.g. whitespaces) and > 2. the part containing the EICAR file is nested within one or several > levels of multipart/mixed content. Victor Duchovni agreed for me to post what he employs to avoid such issues. This is in some ways similar to a limited application firewall for SMTP, which is not spam specific and MIME only. Yes, I know, SMTP application firewalls are the 4th buzzword down the road, give it a couple of years. Victor's information: I have a MIME normalizer in front of the A/V engine. Non-conformant Base64 entities are made conformant or neutered (super-encoded via QP so that the user receives the base64 text itself as the entity payload). -------- In: CT: application/octet-stream CD: attachment; filename=foo.dat CTE: base64 AA AA Out: CT: application/octet-stream CD: attachment; filename=foo.dat CTE: base64 AAAA -------- In: CT: application/octet-stream CD: attachment; filename=foo.dat CTE: base64 AA<Ctrl-A>AA Out: CT: text/plain CD: attachment; filename=mime-source.txt CTE: quoted-printable =20AA=01AA -------- Solves all such problems before the vulnerability is found in the A/V engine. The MIME normalizer does more, defending other possible bypass scenarios, but I not able to describe the full feature-set at this time. It was written and deployeed in Dec 1999. --- End quote. All the above is Viktor's. Gadi Evron.