[Snort-users] Re: Snort-users #1972 OT Email/AV Ranting

Joe Pampel joe at ...3851...
Mon Jun 17 05:31:09 EDT 2002


I do extension blocking as well as virus scanning. I think it's the only logical thing to do.
Why? BC AV software is *always* going to be 1 step behind the virus writers. It's a
reactive technology by definition. What this means to me, is I have to take a peek at every email that 
gets quarantined. I don't strip attachments - I stop the mail if it looks, sounds 
or smells potentially nasty. And we haven't had a virus in here in longer than I can remember.
This is a profoundly good thing as I have precisely 0 interest in spending an evening running
around cleaning and/or re-imaging workstations. I may not have much of a life, but I still like
it better than playing hazmat team! ;-) 
As for software import/export, no one gets zip files except for me, and anyone who needs to
send a file through knows to change the extension (say to something like .txt) Doesn't slow me 
down at all. <adv>I use Mailsweeper for SMTP which has worked wonders here. I would reccomend
it to anyone who wants to get some control over their email system. Good Spam filtering, mail
policies (who gets what and how) as well as virus scanning (via 3rd party s'ware). Great support
too. </adv>

>>Your comments on file extensions might be of noble intent, but quite 
frankly they do not solve the problem. Extension blocking is quite 
effective short-term, but in the long-term makes the problem *WORSE*.<<

Still not sure how blocking extensions makes anything worse. Rant at me offlist if you like.  My opinion is only born of experience, but I could always be wrong. I think perhaps these policies are uniquely tailored to their environments; my policy works well here, yours works well there.. I can appreciate that certainly. 

>> Most email viruses rely on social engineering to get people to execute an 
attachment. Most do this by trying to confuse the user into believing thats
 omeone they know has sent them some form of document or what have you.

If I worked somewhere with software savvy people I could count on them to check things out. 
I can't. You're underlying assumption seems to be that users are computer literate. Maybe somewhere
they are - not here though. :-(  I once had an argument years ago with a secretary who infected our whole LAN & WAN. She insisted that while she had double-clicked on the attachment, she had not "opened it".. Amazing, but true.  I just had to walk away. Reminds me of that old admin joke, 

"we've located the problem"

"great! where is it?" 

"between the chair and the keyboard.."

>>Assumption: Users have a genuine need to exchange files via email, 
including files that you consider desirable to block.

My assumption is that users have no reason to exchange executable files at all. Sure, we exchange pdfs, .doc, .pps, etc etc.. There is no legit business purpose (here at least) I am aware of for executables. So I block them all, and have for years. .com, .exe, .vbs, .sh, etc etc etc. Works really well. It is an effective and proactive measure, at least for now. New Viruses come out almost daily, but what they all have in common is their ability to execute. It is the logical place to ID them. Most days my AV sofware catches them too (I scan everything both ways) , but there are times it is not ready for the new threat and the extension filtering saves my bacon once again. Hitting a walnut with a sledgehammer is not always a bad thing IMHO. The walnut gets the message.. ;-) 

>>know I email out many legitimate executable files, I'm a software writer,g
 o figure. An email is a very effective means of getting my users a quickt
 est-patch. I also generally pack them in a zip file, because of common 
extension blocking schemes.

When I get patches from our developers, we use some innocuous dummy extension.. and I
just change it back once I get it. Or I free it from quarantine manually. No biggie. In 
any event, it is an attachment I am expecting, from someone that I know. Anything else
gets torched. I realize the idea of manual intervention will make many cringe, but I'll take my heuristic algorithms over those of any piece of AV software to determine if something is naughty or nice.. :-)  If looking at 20-30 pieces of the most questionable mail each day makes the difference, that's 10 min well spent IMHO.

>>Thus all you've done is created an inconvenience for your users that virus 
writers will merely adapt to. 

Who's to say they won't do this anyway? (or haven't already?) Surely the writers are well aware of email proxy abilities. That strikes me as a bit like saying people who run Snort are causing crackers to write new exploits that won't get sniffed.. or moreso that using firewalls is an inconvenience for crackers that just tees them off and makes them write newer meaner stuff.. strong passwords tend to piss them off too while we're making a list. Probably all true to an extent, but it is a reason to take down the FW and turn off Snort?

>>You've also successfully created more work for your signature-based email antivirus scanner, 

Dunno about your environment, but here Chips are cheap. Downtime is $$$$.I
  can set up a nice new server for far less than even a single cleanup would cost. 

Make machines do more work is my motto. ;-) 

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


More information about the Snort-users mailing list