[Avcheck] a way to circumvent checks by AVP
Michael Tokarev
mjt@tls.msk.ru
Thu, 25 Jul 2002 17:57:06 +0400
Juri Haberland wrote:
>
> Hi guys,
>
> I just found a way to not only circumvent Postfix' body-checks to reject
> executables but also to prevent AVP to recognize a virus!
> And of course Outlook is involved :(
>
> If you tell Outlook to send emails RTF-formatted it will put the RTF
> stuff into an attachement called winmail.dat. So far so good.
> If you attach a file to this mail, it will be embeded in this
> RTF-document, therefor hidden in the winmail.dat. You see, no
> attachement with a .exe at the end, so no chance to catch it via
> Postfix' body-checks.
> But what's even worse: AVP doesn't recognize this either. I could
> successfully send the eicar.com-test-virus this way...
Fantastic. This is a bug, obviously. Note that e.g. amavis will
not catch this either - or maybe not?
> Maybe someone can check this with other AV-scanners like Dr.Web or Sophos.
Oh well. No single outlook/outlook express here. On more than
40 machines with windoze (mine runs linux). I really missed this
good program, how very bad... ;)
/mjt