[Snort-users] SMTP Virus Gateway

matt mkettler at ...4108...
Fri Jun 14 11:30:04 EDT 2002


I'm using a double-queued sendmail setup called MailScanner, it seems to 
work quite nicely so far and lets me pick one of several command-line AV 
products to use with it (sophos, f-prot, kapersky, and others).

It's also a direct add-on to an existing mailserver and doesn't require 
adding an appliance as a intermediate mailserver, but does require some 
good old-fashioned unix system admin know-how.


<OT counter rant>

Your comments on file extensions might be of noble intent, but quite 
frankly they do not solve the problem. Extension blocking is quite 
effective short-term, but in the long-term makes the problem *WORSE*.

  Most email viruses rely on social engineering to get people to execute an 
attachment. Most do this by trying to confuse the user into believing that 
someone they know has sent them some form of document or what have you.

Assumption: Users have a genuine need to exchange files via email, 
including files that you consider desirable to block.

Given that assumption users will eventually come upon some form of commonly 
accepted means for exchanging these files in the face of extension 
filtering. Since Windows XP now supports zip archives directly in explorer 
as if they were folders, they will likely adopt a convention of zipping 
such files prior to email.

I know I email out many legitimate executable files, I'm a software writer, 
go figure. An email is a very effective means of getting my users a quick 
test-patch. I also generally pack them in a zip file, because of common 
extension blocking schemes.

Since viruses rely on social engineering, they will adapt to match whatever 
standards of exchange that people are commonly using. I suspect it won't be 
long before we start seeing viruses that .zip themselves to bypass such 
"proactive" solutions, and to fit in more with the current norm for file 
exchange.

Thus all you've done is created an inconvenience for your users that virus 
writers will merely adapt to. You've also successfully created more work 
for your signature-based email antivirus scanner, since it will now have to 
be configured to scan inside compressed archives to catch such viruses.

That said, I do have blocking for .pif, and most of the "double-extension" 
set virii use (*.txt.exe etc).

</OT counter-rant>


At 12:22 PM 6/14/2002 -0400, McCammon, Keith wrote:
>I've always used McAfee WebShield SMTP with great success.  Then again, I 
>also do a blanket drop of all .exe, .vbs, .bat, etc.
>
><OT Rant>
>Virii are ever-changing, and are spreading faster and faster.  And as many 
>improvements as we've seen in AV, we're still seeing large-scale global 
>infections.  Given these conditions, I can think of *very* few excuses for 
>an administrator to continue allowing the aforementioned attachments (and 
>others, not listed for the sake of brevity).  At some point folks need to 
>learn that the software won't always save your a**, and that we need to 
>start being intrusive/proactive.
></OT Rant>
>
>In short, we could spend weeks talking about which AV gateways let which 
>virii pass through the filters, but it's largely irrelevant.  The problem 
>*can* be fixed.  Getting back on topic: McAfee (properly configured) works 
>great for me, and always has!
>
>Cheers!
>
>Keith





More information about the Snort-users mailing list