[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Virus Checking - COMPLETELY UNENCUMBERED!



On Wed, May 15, 2002 at 11:34:28AM +1000, Brian May wrote:
> > Frankly, it would be good if someone would add to the useful procmail
> > recipes a filter to remove any executable attachments from an email
> > outright or mark them as spam or delete them or something.  NOBODY should
> > be emailing an executable.  A zip maybe, an image okay.  An executable,
> > particularly a win32 executable is almost guaranteed to be a virus.
> 
> This is a FAQ for amavis, on why amavis doesn't support this.
> 
> While I don't agree with their reasoning, they say it gives a false
> sense of security because it is too easy to hide a virus inside a virus
> with the wrong MIME type or wrong extension (eg *.doc), and have it
> still execute on a broken Windows machine.

I agree with them.  The check should be on file signature, not file
extension name.  The difference is that one relies on certain bugs in
Microsoft software to not exist - as klez has shown is to not be the case
for many users.  The other scans all attachments for executable content,
regardless of the filename.  While not always desirable to reject such
messages, it is at least worthwhile to tag them as suspect and probably
either spam or a virus (or both..)

If amavis does not provide this functionality, then I shall seek it
elsewhere.  Perhaps that exim filter will do as I need; certainly I can
rewrite the filter in question for use with postfix in perl or python if
it does.


> Personally, I think any file that ends in extensions like *.exe, *.bat,
> *.com, *.scr (and maybe even *.doc; but some people do send/receive
> these files) are very suspicious, and even if you know the sender, the
> chance exists that the files could have been tampered with (unless the
> message is digitally signed with a known signature).

Microsoft Windows has _THIRTY-SEVEN_ different executable extensions which
are known to be run automatically by the OS, regardless of bugs in the
various software.  Relying on the name of the file is as pointless in
Win32 as it is in various flavors of UNIX.  Scan by file signature, not
name.

-- 
Joseph Carter <knghtbrd@bluecherry.net>          If this sig were funny...
 
* Culus thinks we should go to trade shows and see how many people we
  can kill by throwing debian cds at them

Attachment: pgpkMAA1225Hc.pgp
Description: PGP signature


Reply to: