Hi Alex

Thanks for your comment on my testing. Well the test was about the decoding capabilities of virus scanners in a gateway scanner scenario. Sadly my document was not clear on this.

Would it have made a difference if I had put in some other real-life malware to test this? I guess not. The test was about decoding quality and not pattern quality.

You are right on the point that the on-access scanner would possibly detect the execution of the malware when the user clicks on the object in the word document. But then why are we using gateway scanners anyway? It is a backup in case the desktop scanner fails for any reason. Its about defense in depth.

Then the other topic is why are there scanners which can decode a word format but not an XML format? In my opinion a scanner should either decode a format completely or not.

You may also look at this test from another point of view. Several gateway AV scanner products are able to block certain types of files, like executable. But if such a product is not capable of detecting executables embedded in documents then this can be used to bypass such protection.

Kind regards
Jan P. Monsch
Jan P. Monsch | 08.28.06 - 6:39 pm | #

Jan,

Good point. And I do think the test is worth doing. But I think it might be more productive to use a real malware imbedded in the file.
Alex Eckelberry (Siteowner) | Homepage | 08.28.06 - 8:20 pm | #

Hi Alex,
I have used same approach to check content inspection policy in few products - executable and multimedia file detection. The results show - XML bypass content detection in 3 products, MHT in 1. So it's not just about few AV vendors. All tested products are gateway protection suites. I have sent to Jan my results (all vendors in my test has been notified and two already confirmed the problem).
Regards,
Max.
Max Noudelman | 08.30.06 - 4:49 pm | #