[Avcheck] avcache announcement
Felix von Leitner
leitner@fefe.de
Thu, 14 Mar 2002 18:37:03 +0100
Thus spake Michael Tokarev (mjt@tls.msk.ru):
> > Somebody might be injecting viruses this way:
> > * Send a legitimate, virus free mail with a correct Message-Id:
> > * Then send virus infected mails with the same Message-Id:
> > --> that would suck
> My question remains: WHY this is needed? Why someone may want to
> infect you this way? If this bad guy *want* to infect my computer,
> there are far better ways to do so -- e.g. sending password-protected
> "Windows Security Update" ("this update was protected by a password
> "secret" in order to ensure it's integrity" -- typical luser will
> belive this), or directing browser to infected website, etc etc etc.
> It's impractical to determine how mail antivirus software works in
> this case.
With this line of argument, we don't need anti viruses at all.
There are always ways to circumvent them.
In fact, that is exactly my opinion about virus scanners.
At any rate, a performance enhancement like http://www.fefe.de/avcache/
may _never_ decrease security, no matter how slight the decrease. That
is basic engineering, there can be no discussion about this.
> Unless someone will write a virus that SPECIALLY tries to work around
> protection scheme used in one particular place. Well, this is interesting.
> This is a reason to NOT treat any "X-AV-State: clean" or the like header
> in the email, since once this practice becomes common, viruses will use
> it as well. But the point is *common*, i.e. common enouth that someone
> will actually want to use such "defect" in virus protection system.
This speculation is useless. We can speculate all day about who might
want to exploit what. The point is: good software will not open new
attack vectors. We have enough of them already.
> In fact, I don't know if this (using message-id) will work or not.
It will open a new attack vector.
> BTW, with avcache, virusscanning process may be slowed down as well as
> speeded up. Speedup will be in rare cases, usually this will be slowdown
> (additional unnecessary md5sums, that is).
Depends on the workload. I can only speak for my personal mail volume:
it's by far dominated by mailing lists. This is the kind of thing that
avcache will speed up dramatically: ten people subscribe to the same
mailing list. Or, even better, sending an email to all@bigcompany.com
(and running on the poor MX for bigcompany.com).
> I thought also about detecting plaintext messages (w/o /^begin \d\d\d \S+/
> part) in avcheck. But I see no good reason for this too -- unfortunately,
> most emails nowadays are generated by outlook that uses text/html by default... :(
A guy told me yesterday that Outlook will even accept malware in the
HEADER of an email (i.e. Subject: duh begin 655 virus.exe<CR>...).
Is that true? If so, avcache needs to be smarter than it currently is.
Felix