Spam Filter ISP Forums : Don’t get the point of using a AV

Spam Filter ISP Forums : Don’t get the point of using a AV https://www.logsat.com/spamfilter/forums/ Sat, 06 Jun 2026 10:25:34 +0000 Fri, 18 Mar 2005 16:20:58 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 11.04 360 https://www.logsat.com/spamfilter/forums/RSS_post_feed.asp?TID=5102 <![CDATA[Spam Filter ISP Forums]]> https://www.logsat.com/spamfilter/forums/forum_images/web_wiz_forums.png https://www.logsat.com/spamfilter/forums/ <![CDATA[Don’t get the point of using a AV : Not at all... there is nothing...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5472&title=dont-get-the-point-of-using-a-av#5472 Author: LogSat
Subject: 5102
Posted: 18 March 2005 at 4:20pm

Not at all... there is nothing that needs to execute. The Windows DLLthat decodes the JPG has a buffer overrrun bug. With the buffer overruna hacker can execute a program embedded in the JPG without the userhaving to run anything. All he needs to do is *view* the JPG.

... and to be more exact, they may not even have to *view* it. In somecases all that is needed is to *hover* over the file with the mouse.Windows will launch the DLL that decodes the JPG to extract itsthumbnail. This is all that's needed for you to get infected, as thebuffer overun will kick in right away.

In the JPG we attached in the zip, the buffer overrun will create abackdoor by running a reverse shellcode on the victim's PC, allowingthe hacker to remote into the victim's PC and effectively having aremote command prompt on it.

Summary:
****there is no program that needs to run/download for the machine to be infected****
]]> Fri, 18 Mar 2005 16:20:58 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5472&title=dont-get-the-point-of-using-a-av#5472 <![CDATA[Don’t get the point of using a AV : Iunderstand that, but the JPEG...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5471&title=dont-get-the-point-of-using-a-av#5471 Author: chinabee
Subject: 5102
Posted: 18 March 2005 at 11:20am

I understand that, but the JPEG file needs other code/program to work, doesn't it?]]> Fri, 18 Mar 2005 11:20:35 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5471&title=dont-get-the-point-of-using-a-av#5471 <![CDATA[Don’t get the point of using a AV : Perhaps you are seeing the word...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5469&title=dont-get-the-point-of-using-a-av#5469 Author: Desperado
Subject: 5102
Posted: 18 March 2005 at 11:17am

Perhaps you are seeing the word "download" and thinking that this is download link or something. When you browse to a site that has any images on it (like most sites do) your browser downloads the images without you asking. Mail clients do the same. So, if I email you and embed an inline image tag, you will get the image. I can send an example if you want.

Dan

]]> Fri, 18 Mar 2005 11:17:57 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5469&title=dont-get-the-point-of-using-a-av#5469 <![CDATA[Don’t get the point of using a AV : the JPEG file still needs to download...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5468&title=dont-get-the-point-of-using-a-av#5468 Author: chinabee
Subject: 5102
Posted: 18 March 2005 at 10:42am

the JPEG file still needs to download and run a malicious code/program to infect.

My firewall only allows HTTP/HTTPS traffic and my filter does not allow any user to download any executable files including zip file.

Even though I received such JPEG files, they would still do no harm as they couldn't run any malicious code.

]]> Fri, 18 Mar 2005 10:42:09 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5468&title=dont-get-the-point-of-using-a-av#5468 <![CDATA[Don’t get the point of using a AV : ...because the file is a jpeg,...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5455&title=dont-get-the-point-of-using-a-av#5455 Author: LogSat
Subject: 5102
Posted: 16 March 2005 at 6:24pm

...because the file is a jpeg, not an exe. Your filter, unless itchecks the http stream for viruses, will not block it. If however thefilter is blocking images, then yes, it will work, but your users arelikely not going to be enjoying their browsing experience.]]> Wed, 16 Mar 2005 18:24:38 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5455&title=dont-get-the-point-of-using-a-av#5455 <![CDATA[Don’t get the point of using a AV : My filter is on HTTP traffic....]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5452&title=dont-get-the-point-of-using-a-av#5452 Author: chinabee
Subject: 5102
Posted: 16 March 2005 at 4:49pm

My filter is on HTTP traffic. How would the IE download anything without an agreement from my filter? ]]> Wed, 16 Mar 2005 16:49:08 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5452&title=dont-get-the-point-of-using-a-av#5452 <![CDATA[Don’t get the point of using a AV : chinabee, That would actually...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5448&title=dont-get-the-point-of-using-a-av#5448 Author: LogSat
Subject: 5102
Posted: 16 March 2005 at 3:59pm

chinabee,

That would actually work just fine bypassing all your filtering if theiframe simply causes the email client/browser to display, in the abovecase, the infected jpg.

Also note that in this particularly nasty case, the email itself doesnot contain the attachment, so it will not be blocked. The emailcontains an iframe, which causes the *end-user's* PC to download thevirus in the jpg. The only way to stop this is toeither have anantivirus on the client PC, or to have an AV product scanning your HTTPtraffic (such products do exist).

The moral is, nobody is as secure as they think they are. There isusually a compromise in how much you are willing to risk and how manyresources you're going to dedicate to protect your environment.
]]> Wed, 16 Mar 2005 15:59:46 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5448&title=dont-get-the-point-of-using-a-av#5448 <![CDATA[Don’t get the point of using a AV : This won't work on my system....]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5446&title=dont-get-the-point-of-using-a-av#5446 Author: chinabee
Subject: 5102
Posted: 16 March 2005 at 3:18pm

This won't work on my system. I have filter set up so that no executable file can be downloaded and only port 80 and 443 is available to users.

If the virus works on port 80, the filter will stop it from downloading anything executable.

Originally posted by Desperado Desperado wrote:

How about anything using "iframe". The attachment is NOT in the message but on a remote server. The iframe launches the download.
Dan

Edited by chinabee]]> Wed, 16 Mar 2005 15:18:59 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5446&title=dont-get-the-point-of-using-a-av#5446 <![CDATA[Don’t get the point of using a AV : Norman, like other AV's,...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5445&title=dont-get-the-point-of-using-a-av#5445 Author: Desperado
Subject: 5102
Posted: 16 March 2005 at 3:04pm

Norman, like other AV's, constantly updates it's definitions. Norman, unlike other AV's, has what it calls "Sand Box Technology". What this does is if it sees something that it feels is suspicious, it places it in a protected area (the sand box) and sees if it does anything "Virus Like".

From their site:

Norman Sandbox technology

Norman Sandbox technology - the hows and whys

This article aims to explain a bit more in depth how Norman Sandbox really works and why it is different from other solutions out there.
Norman Sandbox is a fully simulated computer. No code is executed on the real CPU except for the Norman Virus Control emulator engine; even the hardware in the simulated PC is emulated. See: http://www.norman.com/Virus/13927/en-us

Regards,

]]> Wed, 16 Mar 2005 15:04:38 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5445&title=dont-get-the-point-of-using-a-av#5445 <![CDATA[Don’t get the point of using a AV : chianabee, That's exactly...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5444&title=dont-get-the-point-of-using-a-av#5444 Author: LogSat
Subject: 5102
Posted: 16 March 2005 at 3:02pm

chianabee,

That's exactly why you pay for AV software.... They have staff thatfinds the viruses and updates the patterns to detect them. If you had*any* decent AV software scanning on your mail server the virus youdownloaded from my post would have been caught. The beta ofSpamFilter's AV plugin for example catches it just fine.
]]> Wed, 16 Mar 2005 15:02:03 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5102&PID=5444&title=dont-get-the-point-of-using-a-av#5444