[unisog] antivirus that works despite ssl

Joseph Brennan brennan at columbia.edu
Thu Jul 5 17:48:36 GMT 2007



>  1. if this system ids the message as a virus it puts it in the junk mail
> folder. So I have quite a collection
> of those storm ecards now in the junk mail folder. However the junk mail
> folder is still accessible to the users where they can get into these
> messages.

> 2. as soon as there is a slight change to the virus-carrying message the
> mail server antivirus program doesn't recognize it for a while so the
> virus can be delivered to the inbox instead of the junk mail folder



But do any of these actually contain a virus?

The only ones reported to us are plain text or html text with a uri
to a web page that contains the virus.  The email itself is just text.

Maybe your anti-virus software, besides scanning attachments for virus,
also identifies text parts known to point to virus web pages, or uris
known to contain viruses?  That's pretty good, but it is very specific
and has the updating problems you mention, just like other anti-virus
approaches.  Some more generalized patterns might work.  Many of these
have a uri consisting of an IP address, slash, questionmark, long string
of small letters and numerals.  Not much mail otherwise has that so it
might be worthwhile to quarantine or reject that.  This approach is more
likely to get future variants, for a while anyway.

(If you have any that DO contain a virus I'd like to know more.  Let me
know offline.)


Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology




More information about the unisog mailing list