[Avcheck] avcache announcement
Michael Tokarev
mjt@tls.msk.ru
Thu, 14 Mar 2002 19:04:45 +0300
Ralf Hildebrandt wrote:
>
> Am 14.03.2002 um 18:43:13 +0300 schrieb Michael Tokarev folgendes:
[]
> Somebody might be injecting viruses this way:
>
> * Send a legitimate, virus free mail with a correct Message-Id:
> * Then send virus infected mails with the same Message-Id:
>
> --> that would suck
My question remains: WHY this is needed? Why someone may want to
infect you this way? If this bad guy *want* to infect my computer,
there are far better ways to do so -- e.g. sending password-protected
"Windows Security Update" ("this update was protected by a password
"secret" in order to ensure it's integrity" -- typical luser will
belive this), or directing browser to infected website, etc etc etc.
It's impractical to determine how mail antivirus software works in
this case.
Unless someone will write a virus that SPECIALLY tries to work around
protection scheme used in one particular place. Well, this is interesting.
This is a reason to NOT treat any "X-AV-State: clean" or the like header
in the email, since once this practice becomes common, viruses will use
it as well. But the point is *common*, i.e. common enouth that someone
will actually want to use such "defect" in virus protection system.
In fact, I don't know if this (using message-id) will work or not. I
see no *good* reason to use such "defect" by a virus. But who knows... :)
Maybe someone will write a virus specially for one organization...
BTW, with avcache, virusscanning process may be slowed down as well as
speeded up. Speedup will be in rare cases, usually this will be slowdown
(additional unnecessary md5sums, that is).
I thought also about detecting plaintext messages (w/o /^begin \d\d\d \S+/
part) in avcheck. But I see no good reason for this too -- unfortunately,
most emails nowadays are generated by outlook that uses text/html by default... :(
Regards,
Michael.