Threat Engine in Version 9
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Threat Engine in Version 9 - 5.Jan.2006 9:00:04 AM
|
|
|
vlmagee
Posts: 6
Joined: 5.Jan.2006
Status: offline
|
We recently upgraded from some early 2005 level of Version 8 to version 9.0, build 20051123, and the results have been disappointing.
This new version - with no way to change its behavior other than to turn it off - now butchers a wide variety of HTML messages sent by responsible companies using standard features of HTML mail.
The butchering takes the form of HTML being stripped from the message; not just SCRIPT code - always an acknowledged threat - but all sorts of other code as well, most of which represents no threat at all. In some cases, it appears to be a coding error; in others, it appears to be a misunderstanding by the programmers of what constitutes a valid threat indicator.
We have reported the first of these problems that we encountered (others have been discovered since), and so far have been told only that our only recourse is to disable the Threat Engine. We have asked to escalate but have heard nothing back yet.
Examples of problems include:
1) IMG statements referencing an image with a non-standard filetype (the filetype is NOT a valid indicator of threat anyway). The SRC is eliminated.
2) IMG statements with an extraneous blank before the h in http (I kid you not). The SRC is eliminated.
3) ALIGN=CENTER removed from an H3 statement (again, I kid you not)
4) (Style Sheet) LINK statement removed. (Interestingly, the @IMPORT is not removed).
5) HREF removed from Anchor statement using RTSP protocol. RTSP is the protocol to stream with RealServer. This link was intended to play a music clip.
All of the above are normal use of HTML in messages. These problems occured in mail from large businesses whose email was solicited by the recipient, or in HTML mailings our company was sending.
This message mangling seriously cripples the sending and receiving of valid, professional, HTML mail. It is an unacceptable change to what was a standard, useful part of the GFI software.
Maybe someone at GFI can look into this? I might add that when the problems are clearly defined and repeatable, as these are, a log should not be necessary.
_____________________________
Regards,
Valerie Magee
|
|
|
|
|
RE: Threat Engine in Version 9 - 9.Jan.2006 12:52:23 PM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi Valerie,
Currently I do not have an explanation for all the examples that you have mentioned. I will am working on this and will post again when I have more information.
The HTML Threat Engine tries to remove HTML code which is not normally found in emails. This may include code which may currently not be exploitable, but is not really required in a good formatted email. Using this technique, GFI MailSecurity tries to disable new exploits before they are publicly released.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 31.Jan.2006 6:42:24 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi,
Some more information in reply to your queries in the first post.
Quotes are in italics
The butchering takes the form of HTML being stripped from the message; not just SCRIPT code - always an acknowledged threat - but all sorts of other code as well, ....
Please note that the HTML Threat Engine works by making use of a white list rather than a blacklist as was in previous versions. White lists work with the concept of allowing known clean content and ignoring the rest. This approach has less obvious flaws.
HTML is very open to implementation differences across different HTML rendering engines. Because of this, when an html cleaner makes use of a blacklist approach, it typically leaves many loopholes.
Just an example - to include javascript, an attacker could make use of the following methods:
<script>javascript here</script>
<img src="javascript:here">
<img src="nonexistent" onerror="javascript here">
<a href="vbscript:here">
The above list is not exhaustive and from time to time new methods to bypassing blacklist filters make it to the public security community.
1) IMG statements referencing an image with a non-standard filetype (the filetype is NOT a valid indicator of threat anyway). The SRC is eliminated.
We cannot reproduce this – Can you send us a sample html please. We do not check for filetype here at all.
I think it could be related to an issue with case sensitivity (HTTP://website instead of http://website) which has now been fixed in the latest MailSecurity 9 build ((20060104).
2) IMG statements with an extraneous blank before the h in http (I kid you not). The SRC is eliminated.
This has been reproduced, and is being investigated further.
3) ALIGN=CENTER removed from an H3 statement (again, I kid you not)
This has been fixed in the latest build (20060104)
4) (Style Sheet) LINK statement removed. (Interestingly, the @IMPORT is not removed).
This has been fixed in the latest build (20060104)
5) HREF removed from Anchor statement using RTSP protocol. RTSP is the protocol to stream with RealServer. This link was intended to play a music clip.
We will investigate this further. Most probably this protocol and others will be added to the list of allowed protocols for URLs.
Thank you.
< Message edited by Nicks -- 31.Jan.2006 6:47:17 AM >
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 31.Jan.2006 8:00:27 AM
|
|
|
vlmagee
Posts: 6
Joined: 5.Jan.2006
Status: offline
|
Here is the HTML for problem (1). Looking at it, I see it does have a mixture of caps and lowercase and also is within an anchor statement with an HREF the threat engine may not like, so I have included it as well. Here is the statement:
<A
href="http://virtualmls.com/httppfl2.asp?ln=80ea21546208f1bf237062520c5264f84060e7ed81294c7d&cat=c48818b60f5afe42183b84a1a3509d29&database=7c4680acb03e7161d4332c5044b4034bb88c66104f79c790&webid=0"><IMG
height=100 onerror="this.src='images/NoPhotoSmall.gif'" hspace=6
src="HTTP://virtualmls.com/VMLSDEN/DENPICS/JPEG8/289918A.DCW" width=150
align=left border=0></A>
This is extracted from a realtor's regular mailing showing new home listings. The realtor uses an industry application/service called Virtual MLS (multiple listing service).
_____________________________
Regards,
Valerie Magee
|
|
|
|
|
RE: Threat Engine in Version 9 - 31.Jan.2006 9:41:57 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi Valerie,
A fix for this issue will be included in the next MailSecurity build.
Thank you.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 1.Feb.2006 10:21:37 AM
|
|
|
vlmagee
Posts: 6
Joined: 5.Jan.2006
Status: offline
|
Hi Nick,
I just wanted to take a moment to thank you for your careful and thorough analysis of the various problems with HTML scanning. I am very happy that all the problems are either already fixed, or will probably be fixed shortly. And I very much appreciate it that you were able to work with problem descriptions and/or a copy of the offending code.
Heartened by that (smile please), I will be submitting an inquiry about another problem that we have lived with for the better part of a year: valid mp3 files that are considered "offending" and are quarantined. I will open another discussion item for that when I have a few minutes.
Once again, many thanks for your help!
_____________________________
Regards,
Valerie Magee
|
|
|
|
|
RE: Threat Engine in Version 9 - 1.Feb.2006 11:18:15 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Thank you for your comments :)
It was relatively easy for the team to work on these issues using the very good information that you have provided.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 7.Feb.2006 12:52:52 PM
|
|
|
jbarsodi
Posts: 35
Joined: 5.Jan.2004
From: Irvine, CA
Status: offline
|
Hi Nicks,
When will we see the next build? I'm having the same problem with a vendor who has to send secure messages.
Thanks,
John
|
|
|
|
|
RE: Threat Engine in Version 9 - 8.Feb.2006 5:49:20 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
It is currently still too early to provide a good estimate of the date of the release for the next MailSecurity build.
I would recommend that you subscribe to the new build notifications at http://www.gfi.com/pages/productmailing.htm
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 24.Feb.2006 5:38:25 PM
|
|
|
jbarsodi
Posts: 35
Joined: 5.Jan.2004
From: Irvine, CA
Status: offline
|
any update on the release date? This is causing a huge problem for our company.
|
|
|
|
|
RE: Threat Engine in Version 9 - 27.Feb.2006 11:05:35 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
We should be releasing a new build soon. Thank you.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Threat Engine in Version 9 - 20.Mar.2006 8:23:37 PM
|
|
|
jbarsodi
Posts: 35
Joined: 5.Jan.2004
From: Irvine, CA
Status: offline
|
Does the build that was released today (20060313) resolve this issue?
Thanks,
John
|
|
|
|
|
RE: Threat Engine in Version 9 - 21.Mar.2006 10:56:43 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi John,
Yes, it does.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
RE: Threat Engine in Version 9 - 31.Mar.2006 3:06:52 PM
|
|
|
jbarsodi
Posts: 35
Joined: 5.Jan.2004
From: Irvine, CA
Status: offline
|
We are still having the SAME issue have the upgrade with secure emails that contain an attachment with javascript in it.
A properly received attachment will have 2500 lines in the html. An attachment that passes through MSEC has 50 lines in the html.
|
|
|
|
|
RE: Threat Engine in Version 9 - 3.Apr.2006 11:17:08 AM
|
|
|
Mark Busuttil
Posts: 4836
Joined: 16.Oct.2005
Status: offline
|
Hi jbarsodi,
Can you please send us your troubleshooter files in order to investigate further your issue as indicated in the following link:
http://forums.gfi.com/Read_this_first/m_900727091/tm.htm
Can you also please send us a copy of the original Email which you have used to reproduce / cause the issue.
Thanks!
< Message edited by Mark Busuttil -- 4.Apr.2006 7:45:07 AM >
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
