[Avcheck] Re: Couple of avcheck questions

Michael Tokarev mjt@tls.msk.ru
Tue, 22 Jan 2002 20:09:05 +0300 

[Cc'd to avcheck list]

Jarno Huuskonen wrote:
> 
> On Sun, Jan 20, Michael Tokarev wrote:
> > I asked him.  He says that TrendMicro/NAI uvscan has --mime option to
> > indicate that input file(s) are in MIME format.  He uses McAfee VirusScan
> > for UNIX v4.12, Released November 30, 2000.  From the readme.txt aka release
> > notes:
> 
> Interesting, the uvscan command line options doesn't show the --mime
> option but the program recognises it (and strings uvscan shows it).
> Unfortunately uvscan doesn't work with all the wierd archives so I'll
> probably stick with my wierd amavisd+uvscan+avcheck combo ;)
> 
> I started thinking about how to prevent local users from sending their
> mail straight to localhost:1025.
> Would it be possible to reinject the scanned mail back to postfix via
> unix domain socket (is it possible to make postfix smtpd to listen on
> unix domain socket ?)
> 
> On a machine where users have shell access this could be used as a
> simple access control, so local users can't directly submit mail to
> localhost:1025 and bypass the content_filter).
> 
> Simple scenario:
> smtpd (-o content_filter=) listens on /var/something/smtpd-socket and
> /var/something would be owned by root:avcheck mode 0710.
> So only group avcheck could submit mail via this socket.
> Any thoughts ?

Well, some... ;)

First of all, I'm seriously considering dropping archive scanning in
mails for our servers.  This has good and bad sides, obviously.  With
our customers, we probably can't stop scanning .zip, .rar and .arj
(and self-extracting .exe of those archivers), because of our customer's
mail usage.

In order to prevent 99.9% of "usual" viruses like nimda, sircam and
the like, it is sufficient to scan only "plain mime".  That is,
viruses in "wild form", when it is virus who is sender of a mail.
To prevent some more complicated cases, were a user sent infected
file from his disk in archived form, it is sufficient to check only
common archive formats -- zip and rar should be sufficient (arj was
very popular in Russia several years ago).  Most "normal", average
users will not use more "exotic" archivers anyway.  If you deals
with "advanced" user, who can use tar (almost impossible on winbloze
machine) and so on, it's rather useless to do a virusscanning at
all: first, "advanced" user can prevent infection without mail
virusscanner, and second, it's problematic to scan all possible
formats.

Note also that even "average" rar user will make solid multipart
archives -- no part exept the first can be unpacked anyway (very
common situation here).

That to say, scanning "plain mime" only is sufficient for most
usages, and scanning common archive formats should be sufficient
for even more usages.  So I personally see no real need to provide
more "intellectual" scanning.

A side note.  A virus can archive itself before sending.  I know
no such viruses for now, but obviously this is not impossible.
But there should be a way to extract it from that archive on
target machine.  This can be accomplished by one of two ways:
using common archive format (zip, rar isn't very common) in a
hope that target machine will have a decompressor installed
(e.g. winzip), or creating self-extracting archive using some
exotic format.  For first case, virus will be easy detectable
by an average antivirus (like uvscan) that can understand
this common archive format.  For second case, *antivirus*
software should have corresponding ability to detect this
particular virus, either by providing decompressor or having
signatures that will detect compressed form of a virus.
BTW, how amavis deals with self-extracting archives?  I guess
it does not handle this form...

Second part, about access to reinjecting socket.

Personally I see no real reason for such restrictions.  At
least because there is no need to bypass virus protection
in such a way -- why your user will want to send unscanned
mail?  Because this user is a "hacker"?  But in this case
it is better to take administrative actions instead, like
disabling his account.  Also, if someone actually tried to
use non-standard mail injection path, then he is not an
average user, and the same rules applies (there is no need
to check his mail *for him* for example, and he shoudn't
be this dumb to send infected mails except of for some
purpose).

But anyway.  Postfix has no (re)injection mechanism except
of smtpd, qmqpd and sendmail command.  Both smtpd and qmqpd
can only work with tcp sockets but not with unix-domain
socket.  Well, it is possible to modify postfix (and avcheck)
to do what is needed.  BTW, I use content_inspector here,
in this case no reinjection necessary at all (all paths
to our postfixes are content_inspected, I have content_inspector
defined in main.cf only).

Note also that no antivirus software will give you 100%
protection, by definition (including new yet unknown viruses,
split solid rar archives, encrypted messages or archives and
so on).

Regards,
 Michael.