Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   SurfinGuard Pro Vendors:   Finjan Software
Finjan's SurfinGuard Pro May Fail To Block Certain Malicious Content
SecurityTracker Alert ID:  1000946
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 7 2002
Original Entry Date:  Feb 20 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5 (beta)
Description:   It is reported that Finjan's SurfinGuard Pro 5.5 active content filtering product (a beta release) may fail to filter certain scripts that are programmed to run not when viewed, but when the viewing application is exited.

While a malicious script has been parsed but not fired, an application may be permitted by SurfinGuard Pro to open the malicious script. After the application exits, the script will then fire, thereby circumventing the SurfinGuard Pro filtering protections.

A demonstration exploit is provided in the original message.

Impact:   Malicious content (e.g., a web page, an e-mail message) could fail to be blocked by the SurfinGuard Pro software.
Solution:   The vendor has released a new version (5.6) that is not vulnerable.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  CONTENT.filtering (aka SurfinGuard Pro 5.5 )

Saturday, February 17th, 2001

Referring to last month's HTML.dropper posting
(see:, detailed examination of "buzz
words" like 'content filtering' 'real-time behaviour monitoring'
'first-strike protection' used to describe many security applications,
suggests otherwise.

For example purposes, we take the examination of one so-called content
filtering application: SurfinGuard Pro 5.5 from an interesting company

While at first glance, this particular security software package does
indeed defeat the HTML.dropper, on closer examination and with a 'bit' of
imagination we find that it is actually quite trivial to defeat.

Specifically, it would seem that in this particular security software
package's case, not only is it checking for legal MIME header
information, e.g. content-disposition:attachment;
content-type:application/malware; filename: iloveyou.vbs, it also prevents
real-time firing of scripts. But in order to defeat that all we need do is
set our scripts to fire on exit. That is, while the actual script has been
parsed but not fired, our malware application is still allowed to open by
this particular security software package . Thereafter onunload, it fires
thus defeating this so-called technology.

Working example below. Harmless "demo" code incorporated:

SurfinGuard Pro 5.5 settings set to "HIGH" and "PANIC MODE"

[right click and save to disk, open in mail client. Constructed for OE5.5]

compared to:

which is caught


1. Tested Software: SurfinGuard Pro 5.5 claims to be BETA and is free-ware.
2. Hopefully the registered versions and other products don't use the same
3. For good open-source filtering take a look at John D. Hardin's E-mail
Sanitizer and
Bjarni R. Einarsson's Anomy mail tools


Send a cool gift with your E-Card


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC