Re: GFI Download Security

• From: "David Farinic" <davidf@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 8 Jun 2004 17:29:45 +0200

I agree.

I think its should be safer to block 302 with "*Location: URL:*" 

As usually http header redirection location goes like this:

"Location: http://www.google.com/";

"Location: URL:".... Might be used in rare cases by some web application
and rarely they will pass via ISA in my opinion.


So another http response header example to block:
....
"Location: URL:res://shdoclc.dll/HTTP_501.htm"
....

Regards David Farinic.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, June 08, 2004 5:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: GFI Download Security

http://www.ISAserver.org

Actually, you don't even have to be web response-specific.
Any Internet-based site delivering a header or URL-style element
containing:
 "C:\"
"ms-its":

.. deserves to be blocked.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "David Farinic" <davidf@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, June 08, 2004 07:27
Subject: [isalist] Re: GFI Download Security


http://www.ISAserver.org



To add fresh example to my previous reply post:


There is new 0 day exploit used by more addware/spyware....==Malware.
If you have DownloadSecurity6, it blocks it.

ISA2004 users without DownloadSecurity can use http header checking
feature to Block this malicious code.

Check if 302 reply is found with string in http header:" ms-its:" &
"Help\iexplore.chm"

Then block this connection .

This is reply from webserver you have to block:

====

HTTP/1.1 302 Found  Via: 1.0 ISASERVER  Connection: Keep-Alive
Proxy-Connection: Keep-Alive  Content-Length: 4  Date: Tue, 08 Jun 
2004 08:00:49 GMT  Location:
URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm  Content-Type:
text/html  Server: Resin/2.1.11

====


"Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm"
shouldn't pass trough otherwise this exploit works(Location 
should not point to your  disk)

If your clients run WinXP with SP2 they will be not affected if it
passes trough ISA.


Regards David Farinic



________________________________________
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, 20 May 2004 5:38 p.m.
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: GFI Download Security

http://www.ISAserver.org

Thanks,

I seriously think this is something worth looking into. It is probably
our
#1 or #2 issue right now. It can take up to a few hours to clean a
system
from all the crap these (*&#$@(*& install. It is extremely prevelent on
home PC's along with all the spyware. I am also working with the local
school district to find a solution for their systems as well. They are
having a hell of a time keeping their machines clean.


Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, May 19, 2004 4:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: GFI Download Security


http://www.ISAserver.org

Hi Ray,

That's a good question. I haven't researched yet what methods are used
to
installed scumware on user's computers. I'm sure a variety of methods
are
used. I plan to do this if/when I update the application layer filtering
kit
to version ISA 2004. I sure its as easy as blocking extensions and
content
types, but the devil is always in the details.

Tom



This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.

In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
davidf@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Other related posts:

• » GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » RE: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security

1. Home
2. isalist
3. Archive
4. 06-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---