NeWT Security Scanner

PC Magazine had an article about this FREE security scanner. It will scan your entire home network and give you some interesting information about security holes and other weaknesses. Per the PCMag article it can also scan from outside the network but that didn't work for me when I entered my WAN IP. (PC Magazine printed version) The free version is for "local networks only" (Class C)

It is much more powerful than the free Microsoft security utility.

8000 files? I count 1227 files in: c:\\program files\\tenable\\newt\\plugins\\scripts\\ It took AVG Free virus scanner about 15 seconds to scan all of them. I did a plugin update first to be sure I didn't miss any. Where did you find 8000 plugins?

John, have you ever had NeWT on any of your computers? I am running a virus scan of my computer for the first time since loading the NeWT program. It is taking hours and hours to get through the \\plugins\\scripts folder. There are over 8,000 small files in that folder but the real problem is that it is taking Norton AV

2004 over a minute per file. That's about 5.5 days to get through that folder. I noticed when I downloaded the setup file that Norton AV was taking forever to scan the incoming file and I had to "skip" that scan. Just curious about this.

I've noticed some slowness in scanning the NeWT folder, I'll try some tests to try to determine the cause. WHen I can get some more data I'll forward it to Tenable.

John

I downloaded the NeWT program a couple of weeks ago from

Had to fill out form, wait for email with access code to plugins, then get program. After installing the program it asked if I wanted to do an update (I think plug-in update) which I did. That is when the 8,000 files came streaming in. I did some testing today. The file plugin.tar.ge (size 3,242KB) in the plugins folder takes forever for my NAV to scan. Apparently this is a compressed zip like file. (many files within one file) I gave up after half hour or so. NAV quickly scanned 6,500 of the files then slowly got to 6,800 but I aborted. (I have NAV set to scan within compressed files) I copied this file to another computer with AVG Free and it scanned it in a second. But only saw it as one file. Now here is something even more strange. There is ONE file in the scripts folder that seems to literally take forever for NAV to scan. It is not large and as of now (still running on another computer) NAV has been scanning it for almost 4 hours. It has slowly scanned 188 files within that file. There is constant disk activity. I'm afraid to even mention the name here on this public group because it might be a denial of service type file. I have more details on this file and can post them here if you think that is OK or email to directly at the address at the bottom of your posts.

Oops. I got interrupted and forgot to register. After I registered, I got 8210 plugins. When I scanned the ..\\plugin directory with AVG Free 7.0.323, it took only about 2 minutes on my PIII-933 with 256MB running W2KSP4. Methinks NAV is having a problem.

It's ..\\plugin\\plugin.tar.gz and AVG Free takes about 2 seconds to scan it. Probably because it's not scanning the files inside the Gzipped archive. It's set to "scan inside archives" but apparently is not scanning this one. Oh-oh.

So, I un-gzipped it to a 25.6MByte plugin.tar file and tried again. Same thing. Takes about 2 seconds and claims it only scanned one file. Aparently, Free AVG doesn't scan inside tar or tar.gz archives.

So, I created something that I knew it would scan. I took the 8210 files and conglomerated them into a 9.4MB ZIP file. AVG did scan the

8000 files inside the ZIP compressed archive in 1 min 30 seconds. Methinks your NAV is busted. Any chance you have "Norton's inoculation" feature turned on? That's where they run an MD5sum on every file to see if it has been modified. That takes literally forever inside compressed archives. I'm not going to say anything about a company the delivers a product that stores both the unarchived files, as well as the compressed archives. I guess diskspace and bloat are not an issue.

Yep. Exactly as I described above. Not good either way. When I scan with Free AVG just the ..\\plugin\\scripts\\ directory, it only takes about 2 minutes.

Sure. Feel free to email. This is interesting. However, don't expect an instant reply. I just spent part of the day on an 80ft tower and really feel the traditional aches and pains.

I beg to differ. I was able to extract 25.6MBytes of valid files from the tar.gz archive. There's nothing wrong with it.

Which two, I only see one listed. I have it in the ..\\plugins\\scripts\\ folder. smtp_AV_42zip_DoS.nasl which is 121KBytes big. It's the largest file in the scripts folder. AVG scanned it as a single file in about 2 seconds.

What do you mean "normally"? How long does it take?

Looks like a bug in the handling of compressed files by Norton

John

John or Jeff... do you have these 2 files in your NeWT folders? Or was I just

I have smtp_AV_42zip_DoS.nasl but not plugin.tar.gz.

This is a test for an smtp server's vuln to the 42.zip DOS

quote

desc["english"] = "This script sends the 42.zip recursive archive to the mail server. If there is an antivirus filter, it may start eating huge amounts of CPU or memory.

Solution: Reconfigure your antivirus / upgrade it

end quote

In the long run it shows that our AV programs are vulnerable

John

I've done some more research and it looks like DoS.

Looks like a compression bomb to me. One quote from a site I found. "maliciously coded compressed files such as '42.zip', a "ZIP archive, 42K, composed of nested zips (nested 6 levels deep, each level 17 wide) - produces a file 4GB in size" The file I have in the "scripts" folder is named smtp_AV_42zip_DoS.nasl (121.KB) NAV tried for 4 hours to scan this file and I finally aborted. I also suspect this same file is imbedded within a file named plugin.tar.gz (size 3,242KB) In earlier post I had typo in file extension. Apparently these files can cause anti-virus programs to blow up. Say you email this file to a company that virus checks all incoming email. Could cause problems. I wasn't sure about talking about this here but this info is out there on the WWW. See here:

or Jeff... do you have these 2 files in your NeWT folders? Or was I just lucky? When I tell NAV to exclude these 2 files the scan performs normally. Also see this:

Yes it was. It shows up in the directory listing of plugin.tar.gz and in the scripts directory.

No. Looking at smtp_AV_42zip_DoS.NASL with a binary editor, it appears that 42.zip is contained within the NASL file.

"This script sends the 42.zip recursive archive to the mail server. If there is an antivirus filter, it may start eating huge amounts of CPU or memory. Solution: Reconfigure your antivirus / upgrade it."

NAV is apparently trying to scan the archive. AVG Free apparently does NOT scan inside the archive. I did some searching to see how AVG handles mail bombs. Aparently it "detects" them and does not scan inside. However, it also apparently doesn't indicate that it's a mail bomb. Wonderful choices...NAV hangs while AVG ingnores.

Sorry, no clue.

Well, the obvious temporary fix is to exclude smtp_AV_42zip_DoS.nasl from being scanned by NAV. If you're a masochist, you might try mailing the file to yourself and see what happens. I just did that with the above nasl file and AVG Free just passed it like there was nothing wrong. I couldn't extract the 42.zip file from the nasl file. If I feel ambitious, I'll see if I can find the real 42.zip file and see what happens.

The 2 files I am referring to are: plugin.tar.gz AND smtp_AV_42zip_DoS.nasl You said you extracted valid files from the tar.gz file. OK. But was "smtp_AV_42zip_DoS.nasl" one of those extracted files? When your AVG scanned the smtp_AV_42zip_DoS.nasl file in 2 seconds... was it looking within that compressed file? When my NAV was set to scan ONLY that file... after 4 hours it said it had scanned 256 files and it was still scanning. That's when I aborted. After aborting NAV said "135 files scanned".

256 vs 135???

With the 2 files "excluded" in the NAV setup... my latest scan took a little less than 22 minutes. It successfully scanned other compressed files quickly.

> John or Jeff... do you have these 2 files in your NeWT folders? Or was I just

So this is a test for the 42zip DoS vulnerability but it is not the actual zip bomb DoS itself?

The articles I've read on this date to 2001 so I guess it's old news.

I thought about mailing the file to myself. I'm not sure how SBC Yahoo (my ISP) would handle it at their end. (if at all) Also thought about sending to my company email address to see what happens as I know AV scans are done... but I could become very unpopular at work if something goes wrong. I believe the original 42zip file is available here:

didn't download it because I'm not that brave.