[unisog] antivirus that works despite ssl

Stasiniewicz, Adam stasinia at msoe.edu
Wed Jul 4 17:38:00 GMT 2007


Actually there are many anti-virus products that get around the SSL/TLS
problem.  

 

At the MTA side, practically every major AV vendor has plugins for Exchange
and Sendmail.  Most also support MTA like Postfix, Domino, and others.
Virtually all these plugins interact with the MTA after the message has been
de-SSLed and before being re-SSLed for outbound relay or download to client.

 

At the client side, many email clients (like Outlook) allow for external AV
to integrate with them.  Like with the MTAs, this allows for messages to be
scanned after decryption but before the user can open them.  This also
allows for messages delivered by propriety protocols (like MAPI) to be
scanned.  I have personally had success using both Symantec Corporate
Edition and Kaspersky scan SSL and MAPI delivered messages.

 

As for HTTPS filtering, there are several products out there that can scan
within HTTPS sessions.  I know both ISA and Bluecoat offer this
functionality.

 

Hope that helps,

Adam Stasiniewicz

 

From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of power less
Sent: Wednesday, July 04, 2007 11:41 AM
To: unisog at lists.dshield.org
Subject: [unisog] antivirus that works despite ssl

 

In honor of this idealistic holiday I ask an idealistic question :-)

Is there any antivirus that can scan email for viruses given the fact that
the email is transferred by ssl ? There are
3 cases I guess:
https: webmail connection 
imap
pop3
This might be client specific. Let's say thunderbird, firefox, ie, outlook
were the clients involved.

Secondly is there any antivirus program that can scan for viri in the case
of the web being surfed via https: ? 
(firefox and IE would be the clients).

Actually I haven't seen an antivirus program catching a virus when surfing
via http (no s). Yeah I know it would
be especially hard to write a program to deal with the encryption but does
anyone doubt that a whole lot of keyloggers 
are not capable of doing this? So if they can do it why can't an antivirus
product? 

The recent spate of the "storm worm" emails has given me great opportunity
to test antivirus products and 
the results are grim. Using a couple very very well known products  they did
not detect the worm at the 
level of a person viewing the emails using imap nor https, even in the case
of a rendition of the worm 
received way back on 6/29. One of the programs specifically claimed it could
scan imap email but it did 
not say anything about any worm in actual testing. I can only assume that
the reason it didn't alarm was the encryption. 
Well who reads email *without* encryption? (yeah probably a lot of people
but they shouldn't.) There's something really
really wrong with the current scenario to state the obvious.  It's not that
I'm convinced this particular email worm 
is so terrible it's the principle here that users are such sitting ducks for
anything delivered via web protocols surfing
the web and/or reading email. We pay a lot of money for "protection" that
does nothing. Am I wrong? If someone 
knows of a product that absolutely can rise to the occasion of even being
able to detect a well known web-based 
worm in the case of ssl or tls please shout out. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070704/cd3c74b5/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3192 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070704/cd3c74b5/attachment.bin 


More information about the unisog mailing list