[unisog] antivirus that works despite ssl

power less absolutelynopower at gmail.com
Thu Jul 5 14:59:09 GMT 2007


Yeah I know the typical antivirus program doesn't scan it until the virus
creates a file on the hard drive. But that's what I want to avoid. I want
something done before that. By the time
the virus is that far it usually has enough momentum to disable the
antivirus program.
(Who thinks a virus can't do a lot of badness just running in memory? A
person could write a program that did absolutely everything in memory and
never wrote a file on the disk.)
Yes I want a program that can scan the email messages (or 'carriers' as
you're calling them).
Realize that if the customers are effectively saying "it's ok to not do
anything about email viruses
until they download a virus file to the target computer hd" that means the
antivirus doesn't
have to do anything at all about a non-click-requiring-to-install virus. And
there have been some. If the virus can launch directly from html and/or
something or something auto-run by the email program, we are in deep
trouble.

We have a mail server  scanner. There's 2 concerns I have about it. 1. if
this system ids the message as a virus it puts it in the junk mail folder.
So I have quite a collection
of those storm ecards now in the junk mail folder. However the junk mail
folder is still accessible to the users where they can get into these
messages.  I would at least like viruses to go in the "virus" folder if not
get removed altogether. 2. as soon as there is a slight change to the
virus-carrying message the mail server antivirus program doesn't recognize
it for a while so the virus can be delivered to the inbox instead of the
junk mail folder. Once it gets in the inbox it's set because scanning only
occurs when the mail arrives.Even if a signature subsequently was developed
it has no effect on messages that already arrived. That leaves the only line
of defense to be one of these extremely sluggish file- based antivirus
programs.


On 7/4/07, Cal Frye <cjf at calfrye.com> wrote:
>
> power less wrote:
> > Well ok here I have outlook 2003 configured for imap. And it is most
> > happy to view any number of
> > those storm messages without a squeak out of an extremely well known
> > antivirus product.
>
> so are you actually downloading the infected file attachment, or merely
> viewing the email carrier? Until you get that file downloaded to your
> client computer, your local antivirus package won't scan it.
>
> Most packages have an "on-access" scan option, be sure that option
> includes the temp directory your mail client will use to download the
> file attachment. At that point, it should be scanned and identified.
>
> As has been already indicated, once it's downloaded by your client, it's
> been decrypted and your AV should be able to identify it.
>
> Better is to do the virus scanning on the mail server, but that appears
> to be a different discussion altogether.
>
> --
> Regards,
> -- Cal Frye, Network Administrator, Oberlin College
>
>    www.calfrye.com,   www.pitalabs.com
>
> "In dwelling, live close to the ground. In thinking, keep to the simple.
> In conflict, be fair and generous. In governing, don't try to control.
> In work, do what you enjoy. In family life, be completely present." --
> Lao Tzu.
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070705/08e10401/attachment.htm 


More information about the unisog mailing list