NAI/McAfee have recently updated their FTP server to be case-sensitive and
this affects GS5.2 updates (via proxy servers).
GS5.2 is configures to request updates from
ftp.nai.com/pub/antivirus/datfiles/4.x. It automatically requests DELTA.INI
(uppercase) from that directory.
From our proxy logs, GS 5.2 make the following request (note the
TCP_MISS/404 errors):
192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.147 text/html
192.168.1.250 TCP_MISS/404 1406 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/DELTA.INI -
DIRECT/208.254.18.148 text/html
192.168.1.250 TCP_MISS/200 222 GET
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x - DIRECT/208.254.18.147
text/html
The third entry in the proxy log I presume is a directory listing request -
which does not produce a listing I presume because it should have a trailing
'/'. A manual request from a proxy server using telnet shows that only a
host header is returned.
To verify the existence of the file, their FTP server shows the following:
ftp> cd /pub/antivirus/datfiles/4.x
...
ftp> ls
...
150 Opening ASCI mode data connection for /pub/antivirus/datfiles/4.x/.
...
-rw-rw-rw- 1 0 0 1303 Jan 12 10:25 delta.ini
I am reviewing the issue with NAI support now, and am trying to get to the
bottom of it. Has anyone else noticed?
Regards
Richard Carde
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
