[unisog] antivirus that works despite ssl

Stephen John Smoogen smooge at unm.edu
Thu Jul 5 17:06:54 GMT 2007


power less wrote:
> Yeah I know the typical antivirus program doesn't scan it until the virus
> creates a file on the hard drive. But that's what I want to avoid. I
> want something done before that. By the time
> the virus is that far it usually has enough momentum to disable the
> antivirus program.
> (Who thinks a virus can't do a lot of badness just running in memory? A
> person could write a program that did absolutely everything in memory
> and never wrote a file on the disk.)


Ok from what I can tell... you are saying that you want a program that
goes over to the server and figures out that the bits are bad BEFORE
they get onto the wire for your system. That by definition is server
side scanning so you need to install onto a scanner.

I am probably years out of date and primarily a Linux person, but the
way I understood that AV's hooked into stack was that the client would
initiate a pull, suck the file over and hand it over to the antivirus
program. The antivirus program would then write stuff into a 'protected'
area and scan and check to see if it was ok. It would then hand back
onto the stack if the file was ok. The break-downs occur if there is a
buffer overflow in the transport mechanism or in the email program
before it hands over to the AV.

Another solution I have seen in the past that might work was if you
stuck a man-in-the-middle into the system that you controlled and you
got the email programs to accept versus stop/complain that there is a
MITM. The Man in the Middle acts as a Imap/Pop/HTTPS proxies and
decrypts the items and runs an AV on them. If the file is bad, the
client is given a false file that says something else (bad-boy no
bisquit) and if the file is good it goes through.

Heck I think this is how some spyware works... it just runs as a local
proxy and configures all the email/web programs to use it so it can see
all traffic even if encrypted. It adds a bad certificate to make the
traffic look legit to the products.


-- 
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"


More information about the unisog mailing list