[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Virus Checking on Firewall

On Thu, Sep 27, 2001 at 10:58:26AM -0400, Richard A Nelson wrote:
> On Wed, 26 Sep 2001, Chad Morgan wrote:
> > I was wondering what the best way (if any) of stopping email viruses
> > through a firewall.
> Put your virus scanner there...
> > I'm trying to see if
> > a) there is a way to scan all files that pass through the firewall

I respectfully disagree with this.
The questioner sepecifically said that people were fetching mail 
from outside services.   Presumably this means POP, IMAP, and
probably webmail, and if webmail, probably HTTPS webmail.

This would require, at least, a proxy for these services,
at least on ports 143, 220, 110, 80 (and probably 8080?).
The problem is that the virus scanner cannot work on the raw
stream; too much depends on context.  For example, a stream
that embeds a zipped file has to be decoded, the zip file 
extracted and the contents examined one by one.

I don't know how to handle hhtps, imaps, and pop3s.

I know of no available pop3 proxy that will allow the necessary
interception, for example.

Also, I don't really think that a virus scanner belongs on a firewall.
These tend to be very heavy and closed source.  I would worry 
Denial of Service Attacks and even straight attacks on the virus

In my opinion, the only thing to do is to make it more difficult
for the end users to shoot themselves in the foot.  (Amazing how
many times they can shoot themselves in the foot and expect us
to come along and patch them up again.)  This means that the 
mail client absolutely, positively must not automatically handle
content in any way.  No preview, no launching browsers, no javascript,
no VBS, nothing but text.  And it absolutely must not hide extensions,
ever.  I.e. kill LookOut!, kill LookOut Real Fast!, kill Rotus Motes, 
and you might have a chance.

Jim Penny

Reply to: