[unisog] antivirus that works despite ssl

power less absolutelynopower at gmail.com
Wed Jul 4 16:40:51 GMT 2007


In honor of this idealistic holiday I ask an idealistic question :-)

Is there any antivirus that can scan email for viruses given the fact that
the email is transferred by ssl ? There are
3 cases I guess:
https: webmail connection
imap
pop3
This might be client specific. Let's say thunderbird, firefox, ie, outlook
were the clients involved.

Secondly is there any antivirus program that can scan for viri in the case
of the web being surfed via https: ?
(firefox and IE would be the clients).

Actually I haven't seen an antivirus program catching a virus when surfing
via http (no s). Yeah I know it would
be especially hard to write a program to deal with the encryption but does
anyone doubt that a whole lot of keyloggers
are not capable of doing this? So if they can do it why can't an antivirus
product?

The recent spate of the "storm worm" emails has given me great opportunity
to test antivirus products and
the results are grim. Using a couple very very well known products  they did
not detect the worm at the
level of a person viewing the emails using imap nor https, even in the case
of a rendition of the worm
received way back on 6/29. One of the programs specifically claimed it could
scan imap email but it did
not say anything about any worm in actual testing. I can only assume that
the reason it didn't alarm was the encryption.
Well who reads email *without* encryption? (yeah probably a lot of people
but they shouldn't.) There's something really
really wrong with the current scenario to state the obvious.  It's not that
I'm convinced this particular email worm
is so terrible it's the principle here that users are such sitting ducks for
anything delivered via web protocols surfing
the web and/or reading email. We pay a lot of money for "protection" that
does nothing. Am I wrong? If someone
knows of a product that absolutely can rise to the occasion of even being
able to detect a well known web-based
worm in the case of ssl or tls please shout out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070704/eb695077/attachment.htm 


More information about the unisog mailing list