[Snort-users] SMTP Virus Gateway
mkettler at ...4108...
Fri Jun 14 11:30:04 EDT 2002
I'm using a double-queued sendmail setup called MailScanner, it seems to
work quite nicely so far and lets me pick one of several command-line AV
products to use with it (sophos, f-prot, kapersky, and others).
It's also a direct add-on to an existing mailserver and doesn't require
adding an appliance as a intermediate mailserver, but does require some
good old-fashioned unix system admin know-how.
<OT counter rant>
Your comments on file extensions might be of noble intent, but quite
frankly they do not solve the problem. Extension blocking is quite
effective short-term, but in the long-term makes the problem *WORSE*.
Most email viruses rely on social engineering to get people to execute an
attachment. Most do this by trying to confuse the user into believing that
someone they know has sent them some form of document or what have you.
Assumption: Users have a genuine need to exchange files via email,
including files that you consider desirable to block.
Given that assumption users will eventually come upon some form of commonly
accepted means for exchanging these files in the face of extension
filtering. Since Windows XP now supports zip archives directly in explorer
as if they were folders, they will likely adopt a convention of zipping
such files prior to email.
I know I email out many legitimate executable files, I'm a software writer,
go figure. An email is a very effective means of getting my users a quick
test-patch. I also generally pack them in a zip file, because of common
extension blocking schemes.
Since viruses rely on social engineering, they will adapt to match whatever
standards of exchange that people are commonly using. I suspect it won't be
long before we start seeing viruses that .zip themselves to bypass such
"proactive" solutions, and to fit in more with the current norm for file
Thus all you've done is created an inconvenience for your users that virus
writers will merely adapt to. You've also successfully created more work
for your signature-based email antivirus scanner, since it will now have to
be configured to scan inside compressed archives to catch such viruses.
That said, I do have blocking for .pif, and most of the "double-extension"
set virii use (*.txt.exe etc).
At 12:22 PM 6/14/2002 -0400, McCammon, Keith wrote:
>I've always used McAfee WebShield SMTP with great success. Then again, I
>also do a blanket drop of all .exe, .vbs, .bat, etc.
>Virii are ever-changing, and are spreading faster and faster. And as many
>improvements as we've seen in AV, we're still seeing large-scale global
>infections. Given these conditions, I can think of *very* few excuses for
>an administrator to continue allowing the aforementioned attachments (and
>others, not listed for the sake of brevity). At some point folks need to
>learn that the software won't always save your a**, and that we need to
>start being intrusive/proactive.
>In short, we could spend weeks talking about which AV gateways let which
>virii pass through the filters, but it's largely irrelevant. The problem
>*can* be fixed. Getting back on topic: McAfee (properly configured) works
>great for me, and always has!
More information about the Snort-users