Mailing List Archive

Wow, I can do that, too.

If not 100% plain text -- quarrantine. You could also only allow known
safe HTML markup tags (bold, underline, italic, etc.) with no external
links.

Disallow most if not all attachments.

Wow, safe. Not very useful today, but safe.

-Charles Hill

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".
>
> Any information from someone on the list that has had contact with them
> would be great.
>
> Here are a list of claims on their website:
>
> Does not rely on...
> Signature Dependenancy
> Sandboxing or Throttling
> Any form of recognition:
> Not Virus detection or naming
> Not any form of Heuristics
> Not any form of Behavioural recognition
>
>
> GlassWall has the following benefits...
> requires no updates
> provides immediate protection from new threats
> can be put into firmware or silicon
> does not alert hackers and virus writers to potential exploits by
> publishing update information
> can be embedded in into the network layer
> is platform and operating system independent
> sits at the border of a zone, network or computer
> is continually running and provides zero response time to any threat
>
>
> Home page: http://www.avecho.net/index.cfm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Okay, I *THOUGHT* I was kidding with the "block everything not plaintext",
but maybe not.

Their "trust bypass" allows admins to admit certain datatypes past thir
filter. This implies to be they simply "deny all" and go from there.

Again, safe but not very useful to end-users.

-Charles Hill

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".
>
> Any information from someone on the list that has had contact with them
> would be great.
>
> Here are a list of claims on their website:
>
> Does not rely on...
> Signature Dependenancy
> Sandboxing or Throttling
> Any form of recognition:
> Not Virus detection or naming
> Not any form of Heuristics
> Not any form of Behavioural recognition
>
>
> GlassWall has the following benefits...
> requires no updates
> provides immediate protection from new threats
> can be put into firmware or silicon
> does not alert hackers and virus writers to potential exploits by
> publishing update information
> can be embedded in into the network layer
> is platform and operating system independent
> sits at the border of a zone, network or computer
> is continually running and provides zero response time to any threat
>
>
> Home page: http://www.avecho.net/index.cfm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zach Forsyth wrote:
| Just wanted to see if anyone knew anything about the company
| called Avecho or their flagship product "Glasswall".
|
| GlassWall has the following benefits...
| requires no updates
| provides immediate protection from new threats
| can be put into firmware or silicon
| does not alert hackers and virus writers to potential exploits by
| publishing update information
| can be embedded in into the network layer
| is platform and operating system independent
| sits at the border of a zone, network or computer
| is continually running and provides zero response time to any
| threat

Oh, sure, I've heard of this technology. Very cool. As well as all
of the above, this solution also:

- - introduces no additional lag, even under heavy load
- - requires no monitoring or maintenance
- - drastically reduces TCO (in terms of electricity / connectivity)

You don't even need to purchase the solution from GlassWall, it's
very easy to do this yourself.

1) Find a secure, unoccupied room and locate your server in the
centre of it. Ensure all cabling is disconnected.

2) Fill the remainder of the room with fine sand.

3) Optionally, raise the temperature of the room to 1500 deg C.

Voila!

C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zVtyR2vQ2HfQHfsRAvOqAKDU2hgHoZzyjWgS9yd4O/q/IdqiXACdGATG
YEsxiDomLwgxyyzLPEFghwo=
=pp3a
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

I think their commentary about Sobig indicates they have no idea what they're protecting against, and even more indicates they're exploiting the hype they otensibly decry.

There were not manu systems infected with Sobig.F, its just that the few that were relentless transmitted infected emails. The problems that ensued were from mail systems that were overwhelmed by the volume of messages received. Don't think their technology could help here.....

G

-----Original Message-----
From: Zach Forsyth [mailto:Zach.Forsyth@kiandra.com]
Sent: Tue Dec 02 19:30:32 2003
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Avecho Glasswall Anti virus technolog?

Just wanted to see if anyone knew anything about the company called
Avecho or their flagship product "Glasswall".

Any information from someone on the list that has had contact with them
would be great.

Here are a list of claims on their website:

Does not rely on...
Signature Dependenancy
Sandboxing or Throttling
Any form of recognition:
Not Virus detection or naming
Not any form of Heuristics
Not any form of Behavioural recognition


GlassWall has the following benefits...
requires no updates
provides immediate protection from new threats
can be put into firmware or silicon
does not alert hackers and virus writers to potential exploits by
publishing update information
can be embedded in into the network layer
is platform and operating system independent
sits at the border of a zone, network or computer
is continually running and provides zero response time to any threat


Home page: http://www.avecho.net/index.cfm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us
immediately.
***********************************************************************

"Zach Forsyth" <Zach.Forsyth@kiandra.com> wrote:

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".

Nothing is known about the product, at least outside the company, as it
is all hush hush because they have "revolutionary new technology"
awaiting the granting of patents.

How revolutionary?

Well, it must be pretty damn revolutionary because it seems they have
found a way to break the currently accepted laws of physics. What
Avecho claims its revolutionary new technology can achieve is outright
impossible if certain heretofore unchallenged basic tenets of
mathematics are actually true. For example, the Halting Problem would
have to fall for Avecho's claims to be true. If you go to avecho.net
and follow the "virus center", "GlassWall central", "how it works" menu
items you come to page with suspiciously little descriptive text and a
map-animated graphic. Flying the mouse over the GlassWall part of the
graphic displays this text:

GlassWall(TM)

avecho's GlassWall(TM) engine is the core of this revolutionary
anti-virus technology. It will accept data from any source and any
data that passes through the engine is certified 100% virus free.
GlassWall(TM) will respond instantly to any virus threat known or
unknown. It requires no definition files or administrator
intervention during its operation which makes GlassWall(TM) the
only 100% effective anti-virus technology capable of automatic,
instant response and zero propagation of any virus, known or yet
to be developed.

Note -- "GlassWall ... will accept data from any source and any data
that passes through the engine is certified 100% virus free". That is
clearly a claim that Avecho's staff have either solved, or otherwise
rebuked, the Halting program...

Oh, but wait a minute -- unlike all the "revolutionary" approaches that
have come before, also claiming to make existing antivirus technology
obsolete, there is no talk of false positive rates. Usually these
revolutionary approaches claim perfect detection (as does Avecho) and
perfect differentiation (i.e. "no false positives"). Perhaps Avecho
has not solved the Halting Problem at all and has simply decided that a
any number of healthy babies being thrown out with the bath water is an
acceptable price?

And note the sophistry in Avecho's claims for GlassWall. Still on the
animated graphic, fly your mouse over "trust bypass":

trust bypass

Administrators can manage the coverage of the GlassWall(TM) engine
by defining data types that may avoid the anti-virus engine but
still pass through the system for users to access. Bypassing
GlassWall(TM) is done at your own risk. Account administrators must
understand that absolute protection cannot be assured if you choose
this option, although industry best practice screening is still
applied.

So, viruses can still be passed through a _system_ using Avecho's
"revolutionary" technology (many of which would be detected by what
Avecho suggests is "inferior" conventional virus scanners through their
emulation, heuristic and generic detection technologies) but to do this
they pass "around", rather than "through" Avecho's GlassWall technology
allowing Avecho to maintain the claim that GlassWall is clearly better.

And note that I am entirely ignoring the issue of whether Avecho's
virusCensor and/or GlassWall can perfectly detect any and every example
of malformed message and attachment encoding, embedding and so on that
some or other hokey, real-world MUA will "correctly" decode. At a
conference recently, when I pointed out to an Avecho company
representative that such malformations were the bane of content
filtering packages pretty much regardless of what they were trying to
filter out, he simply brushed the claim off saying that if that was my
concern I clearly had no idea how the product worked. How that sales-
oid's brush-off and the nice "how it works" diagram discussed above fit
together I'll leave as an exercise for those readers of this list who
have the necessary technical expertise in such matters (a level that
must, apparently, be greater than my own) to decide.

> Any information from someone on the list that has had contact with them
> would be great.

Bearing in mind they are _aching_ to sell this off (and apparently in a
huge rush to do so, perhaps even before the ink on the patents is dry)
here is a paraphrase of what I told the just-mentioned sales-oid...

"Avecho and its "revolutionary" technology most likely won't exist in a
few (2-3) years. Most likely Avecho's principals will have sold the
major IP (the patents) to some technology company that has no idea what
AV and the like is about and will then dissolve the company pocketing a
tidy sum each. The technically able folk at the company that made
Avecho's principals multi-millionaires will look at the gift horse
they've just been presented by the prat who was suckered into parting
with a chunk of that company's cash reserves, laugh and return to doing
whatever it was they do that ensures their employer keeps paying their
wages."

(Another moderately likely scenario I did not suggest to him is that
actually the world will see through Avecho's glorified 90-something%
effective blocking technology, they will fail to sell it (perhaps the
patent applications fail?) and they will go on to make a modestly
comfortable, but not outrageously luxurious, living running a virus-
filtering Email, web, etc ASP much like MessageLabs...)

I'll finally point out -- in case the sales-oid mentioned above still
hasn't figured it out and gets to see this -- that I am not defending
the rest of AV against the bogus Avecho GlassWall claims. I am, as
usual, pointing out the badly misleading, technologically inept and
other stupidities surrounding the clearly overly marketing-driven
claims being made for the products and services of his company. In
this, his company is no better than _or different from_ most other AV
producers at some time or other in their development. As the brattish
"new kids on the block" he and his cronies are simply repeating the
idiotic overhyping we've all seen far too many times already. If
Avecho had really wanted to be taken seriously (assuming there actually
might be something serious or interesting in what it is doing) it
certainly chose precisely the best way to appear that it was much more
interested in achieving exactly the opposite impression...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

> Just wanted to see if anyone knew anything about the company called
> Avecho or their flagship product "Glasswall".

I evaluated their product earlier this year, with the view of incorporating
their engine into our services. However, I quickly took the view that it
was not an anti-virus engine (as advertised) but a rewriting content filtering
engine.

What follows are my deductions from the emails I sent through, and therefore
may not correctly reflect the actual behaviour of the system. Also, it may
well have changed since our tests - we reported all the bugs we found, and
I expect most have been fixed for a while now.

The system attempted to stop all executable content from getting through. Where
an attachment was just executable content, such as an EXE file, it was blocked.
Where the attachment was executable+data, such as an Office document with macros,
the attachment was rewritten to remove the executable content, but leave the data.
So Office documents had all macros stripped. Similarly, HTML emails containing
'nasty' tags had these stripped. Sometimes the executable could not be stripped,
in which case the email is stopped. For instance, this happened with HTML
emails containing scripts. The rewriting also happens in other cases. For instance
BMP files had spurious data at the end of the file removed. TXT documents had
whitespace at the end of line removed. There was also a bug which added a blank
line at the beginning of each text document, but I expect this is fixed now.
Unrecognised files are blocked. So if you send unusual data files, these will
be stopped. When I tested, they only recognised a few of the most common file
types. For instance, they could cope with ZIP, but not RAR. However, they tell me
they have added hundreds more types since we tested. Also it is fairly easy to add
more types, so if you do send unusual data types, these can be added quickly.
Encrypted files count as unrecognised, so sending an encrypted ZIP will
also be stopped. The email itself was also rewritten, presumably to stop
exploits which rely on misformed headers. Text files appeared to be statistically
analysed, some random files we sent through were stopped - eg for containing
a 0x7F character or not enough spaces. They tell me that the system is OK with
foreign languages and signed mail, but we did not test this.

Considering their claim to stop all viruses, their product has at least three
potential areas we identified where it could be exploited.

Firstly, they need to fully understand all file format they support. Otherwise
an executable can be smuggled in without them realising.

Secondly, they need to be able to be able to recognised malformed MIME.
Otherwise an executable can be smuggled in without them realising.

Thirdly, they need to be able to exactly identify all data files. Otherwise,
an attachment of one type can be smuggled in as an attachment of another type.

The first two areas can be closed by their diligence and hard work; if a hole
becomes known, they can update their code. The third area is (I believe) unsolvable.
Some data files are essentially free-format - eg text files, so to determine
whether a 'text' file is actually execuatable becomes equivalent to solving the
Halting problem (mentioned by Nick in his email) which is unsolvable.

Although these flaws debunk the 'never let a virus through' claim, my judgement
is that the product will still protect against the common horde of mass mailers,
since these are all in common file formats, using standard MIME, and are fairly
easy to identify as executable code. Where the user would be most vulnerable
is to a crafted attack aiming at getting some kind of trojan or other malware
into a specific organisation.

So, the product was not usable by us - it would have caused a massive false
positive problem, and doesn't really add anything to our offerings, but I think
there is a market for it for those companies/individuals who need that
particular type of content filtering.

Caveat emptor: Avecho are potentially a competitor of ours, so make your own
judgement on my comments.

Regards,

Alexs
-----------------------------------------
Alex Shipp
Senior Anti-Virus Technologist
MessageLabs

Company Registration No - 3834506


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html