[Dshield] vunerability windows

Stephane Grobety security at admin.fulgan.com
Fri Feb 6 14:21:47 GMT 2004


> I was wondering what peoples ideas were on how to mimise the windows.

Quarantine every attachement and don't deliver it to the user before enough time has elapsed (2-3 days seems enough so far).


> The other day I wondered why anti-virus vendors arent getting into mail
> clients.

They might not get into mail client software writing, but they sure are getting into MY mail client... I'm bing mail-bombed by their "you have sent a virus to our server, blah, blah" messages...

> Or microsoft needs to be getting into antivirus a lot faster. It
> would seem logical to me that for the home user market, the time has come
> for anti-virus software to be integrated with mail clients and for some
> mechanism to exist to quarantine attachments for say 12 hours, to ensure
> updates are most likely avaliable for any new virus. 

My feeling is that you shouldn't trust the end users for that. Scan every attachement on the server and have the virus def auto-update every hour. Dissallow every attachement of type PIF, EXE, COM, VBS, JS, BAT, CMD, SCR, CPL and the like. For more sensitive operation, implement the "quarantine evrything" functionality (detaching the attachement from message is usually pretty easy, the routing on the attachement that have passed the probation periode is a bit more tricky).

> Also auto-update should be on by default and sufficiently hidden so the
> average n00b cant turn it off. ;-)

Well, let see: there is far fewer mail servers on the planet than mail users. The persones responsible for these server are, on average, far more competent than the average user when it comes to computer technology and they are probably more aware of the virus problem. The mail server also have a far better connectivity than the end user's machine: all this should tell us that the proper way to handle virii should be on the server, not the client (though having a second layer of protection doesn't hurt).

What amazes me is that we're still seeing that many sites that are either completely unprotected or badly configured. Since it DOES make economic sense to the mail server operators and ISPs to have up-to-date virus scanning on everything that ever reaches a user inbox, why is that apparently so little implemented ?

Good luck,
Stephane




More information about the list mailing list