[Esd-l] Fw: .com file which passed thru the sanityzer

John D. Hardin jhardin at impsec.org
Mon Nov 24 12:56:22 PST 2003

On Mon, 24 Nov 2003, Juan Maria Gil wrote:

> Hi,
> Today we have received some emails from a security test sent to us by SecurityMetrics,
> eveyone of the executables were sanitized but one.
> This is the significative parts of this message:
> Subject: [raq550] Nessus antivirus test 4: broken MIME attachment (ISO encoding)

It's probably the encoding of the filename. The sanitizer isn't up to
speed on some of the more esoteric formats.

> --=-=-= 
> Content-Disposition: attachment;
> filename="eicar.=?ISO-8859-1?Q?c?= =?ISO-8859-1?Q?o?=
>  =?ISO-8859-1?Q?m?="

Yup, that's it. The sanitizer does not currently understand that
complex an encoding.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   23 days until The Return of the King

More information about the esd-l mailing list