[unisog] antivirus that works despite ssl

power less absolutelynopower at gmail.com
Wed Jul 4 21:09:52 GMT 2007

Well ok here I have outlook 2003 configured for imap. And it is most happy
to view any number of
those storm messages without a squeak out of an extremely well known
antivirus product. So where is that feature? Well it's not there I guess
(see extract from help below) because the product doesn't do any of the
protocols that we are limited to at this institution: their own ssl web mail
interface, imap, and pop. This institution doesn't do mapi, exchange, nor
Notes. (The antivirus purchasing committee and the email configuration
committee were definitely not on the same page unfortunately :-(

Thanks for the pointer to using outlook and mapi. Unfortunately the email
powers probably won't do
mapi and secondly there is a preference for thunderbird in general. We are
SOL on that front I guess.
Unless someone knows a free antivirus program that is not as limited?

Maybe I should just forget about the intractable email problem and worry
about the bigger problem:
web surfing. I see there are quite a few programs that claim to protect
surfers. Here's just
3 of them that do firefox:

anyone have any particular recommendations?

******* yes we don't do your email protocol :-) ******

  *About Auto-Protect and email scanning*

This updated section is from Chapter 3, Protecting your computer from
viruses and security risks.

To supplement Auto-Protect, X detects at installation whether you use a
supported groupware email client and adds Auto-Protect for email.

Protection is provided for the following email clients:

   - Lotus Notes 4.5x, 4.6, 5.0, and 6.x
   - Microsoft Outlook 98/2000/2002/2003 (MAPI and Internet)
   - Microsoft Exchange client 5.0 and 5.5

Note: E-mail Auto-Protect works on your supported email client only. It does
not protect email servers.

X also includes Auto-Protect scanning for additional Internet email programs
by monitoring all traffic that uses the POP3 or SMTP communications
protocols. You can configure X to scan incoming messages for threats and
security risks, as well as outgoing messages for known heuristics by using
Bloodhound Virus Detection. Scanning outgoing email helps to prevent the
spread of threats such as worms that can use email clients to replicate and
distribute themselves across a network.

Note: Internet email scanning is not supported for 64-bit computers.

For Lotus Notes and Microsoft Exchange email scanning, X scans only the
attachments that are associated with email. For Internet email scanning of
the messages that use the POP3 or SMTP protocols, X scans both the body of
the message and any attachments that are included.

If you use Microsoft Exchange or Microsoft Outlook(r) over MAPI and you have
Auto-Protect enabled for email, when you open a message with an attachment,
the attachment is immediately downloaded to your computer and scanned. Over
a slow connection, downloading messages with large attachments affects mail
performance. You may want to disable this feature if you regularly receive
large attachments.

There are times, such as during the installation of new software, that you
must temporarily disable Auto-Protect.

Note: If a virus is detected as you open email, your email may take several
seconds to open while X completes its scan.

Email scanning does not support the following email clients:

   - IMAP clients
   - AOL(r) clients
   - Web-based email such as Hotmail(r) and Yahoo!(r) Mail

On 7/4/07, Stasiniewicz, Adam <stasinia at msoe.edu> wrote:
>  Actually there are many anti-virus products that get around the SSL/TLS
> problem.
> At the MTA side, practically every major AV vendor has plugins for
> Exchange and Sendmail.  Most also support MTA like Postfix, Domino, and
> others.  Virtually all these plugins interact with the MTA after the message
> has been de-SSLed and before being re-SSLed for outbound relay or download
> to client.
> At the client side, many email clients (like Outlook) allow for external
> AV to integrate with them.  Like with the MTAs, this allows for messages to
> be scanned after decryption but before the user can open them.  This also
> allows for messages delivered by propriety protocols (like MAPI) to be
> scanned.  I have personally had success using both Symantec Corporate
> Edition and Kaspersky scan SSL and MAPI delivered messages.
> As for HTTPS filtering, there are several products out there that can scan
> within HTTPS sessions.  I know both ISA and Bluecoat offer this
> functionality.
> Hope that helps,
> Adam Stasiniewicz
> *From:* unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org]
> *On Behalf Of *power less
> *Sent:* Wednesday, July 04, 2007 11:41 AM
> *To:* unisog at lists.dshield.org
> *Subject:* [unisog] antivirus that works despite ssl
> In honor of this idealistic holiday I ask an idealistic question :-)
> Is there any antivirus that can scan email for viruses given the fact that
> the email is transferred by ssl ? There are
> 3 cases I guess:
> https: webmail connection
> imap
> pop3
> This might be client specific. Let's say thunderbird, firefox, ie, outlook
> were the clients involved.
> Secondly is there any antivirus program that can scan for viri in the case
> of the web being surfed via https: ?
> (firefox and IE would be the clients).
> Actually I haven't seen an antivirus program catching a virus when surfing
> via http (no s). Yeah I know it would
> be especially hard to write a program to deal with the encryption but does
> anyone doubt that a whole lot of keyloggers
> are not capable of doing this? So if they can do it why can't an antivirus
> product?
> The recent spate of the "storm worm" emails has given me great opportunity
> to test antivirus products and
> the results are grim. Using a couple very very well known products  they
> did not detect the worm at the
> level of a person viewing the emails using imap nor https, even in the
> case of a rendition of the worm
> received way back on 6/29. One of the programs specifically claimed it
> could scan imap email but it did
> not say anything about any worm in actual testing. I can only assume that
> the reason it didn't alarm was the encryption.
> Well who reads email *without* encryption? (yeah probably a lot of people
> but they shouldn't.) There's something really
> really wrong with the current scenario to state the obvious.  It's not
> that I'm convinced this particular email worm
> is so terrible it's the principle here that users are such sitting ducks
> for anything delivered via web protocols surfing
> the web and/or reading email. We pay a lot of money for "protection" that
> does nothing. Am I wrong? If someone
> knows of a product that absolutely can rise to the occasion of even being
> able to detect a well known web-based
> worm in the case of ssl or tls please shout out.
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070704/23dc0942/attachment-0001.htm 

More information about the unisog mailing list