[unisog] antivirus that works despite ssl

Harry Hoffman hhoffman at ip-solutions.net
Wed Jul 4 17:33:25 GMT 2007


I can think of a couple of ways... scan upon delivery to the intended 
mailbox as opposed to smtp transit.

Accept via smtp (tls/ssl), re-inject through smtp (amavisd) via a loopback 
and scan there. This is what happens usually with postfix/amavisd/av 
setups.

While not A/V, privoxy does a good job of mangling javascript to make 
getting owned more difficult.

I believe that most of the major A/V providers will scan the temporary 
files created when downloading or browsing.

HTH,
Harry



 On Wed, 4 Jul 2007, power less wrote:

> In honor of this idealistic holiday I ask an idealistic question :-)
> 
> Is there any antivirus that can scan email for viruses given the fact that
> the email is transferred by ssl ? There are
> 3 cases I guess:
> https: webmail connection
> imap
> pop3
> This might be client specific. Let's say thunderbird, firefox, ie, outlook
> were the clients involved.
> 
> Secondly is there any antivirus program that can scan for viri in the case
> of the web being surfed via https: ?
> (firefox and IE would be the clients).
> 
> Actually I haven't seen an antivirus program catching a virus when surfing
> via http (no s). Yeah I know it would
> be especially hard to write a program to deal with the encryption but does
> anyone doubt that a whole lot of keyloggers
> are not capable of doing this? So if they can do it why can't an antivirus
> product?
> 
> The recent spate of the "storm worm" emails has given me great opportunity
> to test antivirus products and
> the results are grim. Using a couple very very well known products  they did
> not detect the worm at the
> level of a person viewing the emails using imap nor https, even in the case
> of a rendition of the worm
> received way back on 6/29. One of the programs specifically claimed it could
> scan imap email but it did
> not say anything about any worm in actual testing. I can only assume that
> the reason it didn't alarm was the encryption.
> Well who reads email *without* encryption? (yeah probably a lot of people
> but they shouldn't.) There's something really
> really wrong with the current scenario to state the obvious.  It's not that
> I'm convinced this particular email worm
> is so terrible it's the principle here that users are such sitting ducks for
> anything delivered via web protocols surfing
> the web and/or reading email. We pay a lot of money for "protection" that
> does nothing. Am I wrong? If someone
> knows of a product that absolutely can rise to the occasion of even being
> able to detect a well known web-based
> worm in the case of ssl or tls please shout out.
> 


More information about the unisog mailing list