[Avcheck] avcache announcement

Michael Tokarev mjt@tls.msk.ru
Thu, 14 Mar 2002 21:11:32 +0300 

Felix von Leitner wrote:
> 
> Thus spake Michael Tokarev (mjt@tls.msk.ru):
> > > Somebody might be injecting viruses this way:
> > > * Send a legitimate, virus free mail with a correct Message-Id:
> > > * Then send virus infected mails with the same Message-Id:
> > > --> that would suck
> > My question remains:  WHY this is needed?  Why someone may want to
> > infect you this way?  If this bad guy *want* to infect my computer,
> > there are far better ways to do so -- e.g. sending password-protected
> > "Windows Security Update" ("this update was protected by a password
> > "secret" in order to ensure it's integrity" -- typical luser will
> > belive this), or directing browser to infected website, etc etc etc.
> > It's impractical to determine how mail antivirus software works in
> > this case.
> 
> With this line of argument, we don't need anti viruses at all.
> There are always ways to circumvent them.

Not true at all -- we need to stop spreading of wild viruses.  Virusscanners
aren't sort of IPS aks Intrusion Prevention System.

> In fact, that is exactly my opinion about virus scanners.

Any my too... ;)  For *me* there is no need for any virusscanner...  I
will never use mail client that is so virusfriendly as outlook.  If there
will be bugs found in client I use, I'll update it or will be careful
(well, always careful...:)

> At any rate, a performance enhancement like http://www.fefe.de/avcache/
> may _never_ decrease security, no matter how slight the decrease.  That
> is basic engineering, there can be no discussion about this.
> 
> > Unless someone will write a virus that SPECIALLY tries to work around
> > protection scheme used in one particular place.  Well, this is interesting.
> > This is a reason to NOT treat any "X-AV-State: clean" or the like header
> > in the email, since once this practice becomes common, viruses will use
> > it as well.  But the point is *common*, i.e. common enouth that someone
> > will actually want to use such "defect" in virus protection system.
> 
> This speculation is useless.  We can speculate all day about who might
> want to exploit what.  The point is: good software will not open new
> attack vectors.  We have enough of them already.

You almost convinced me, but not compltetly.  BTW, there are other ways to
"exploit" virusscanning solution.  And in fact, I don't know what is "better".

First of all, a virusscanner (in current incarnation) should know about
any new virus before it can be detected.  A hard work for antivirus
vendors, but this work can't be done immediately, and at least one
infection should be done first, and someone should notice that infection
was done.

Also, what to do if "mail part" of virusscanner can't get answer from a
virusscanner for whatether reason?  Avcheck fails with EX_TEMPFAIL error.
There are other options exists -- e.g. ignore this condition and continue
just like the message is reported to be clean.  All existing solutions
has such option ("IGNORE_ERRORS" or the like).  There may be many different
conditions why virusscanner can't return an answer.  And some are rather
"interesting": e.g. 42.zip mailbomb -- "unprepared" virusscanner may just
go to almost-endless loop consuming all machine resources etc.  For such
situation, it maybe better to either continue as the messags is clean, or
return the message as infected, but certainly NOT defer it.  From another
point of view, for such timeouts it may be better to NOT check timeouts
at all.  Once my mailserver rejected significant amount of mails due to
high load, when a virusscanning process was unable to complete in a
reasonable amount of time.  That surely was misconfiguration, but it
serves as an example (and this is why I added -t timeout for avcheck --
in order to be able to detect timeout and defer mail before postfix will
be triggered by it's own timeout).

> > In fact, I don't know if this (using message-id) will work or not.
> 
> It will open a new attack vector.

As I noted above, antivirus alone can't be IPS.  No antivirus solution
is 100%.  And such new attack vector that may be used by 0.001% of
viruses if at all, is very minor compared to other defects of the whole
solution.

[]
> > I thought also about detecting plaintext messages (w/o /^begin \d\d\d \S+/
> > part) in avcheck.  But I see no good reason for this too -- unfortunately,
> > most emails nowadays are generated by outlook that uses text/html by default... :(
> 
> A guy told me yesterday that Outlook will even accept malware in the
> HEADER of an email (i.e. Subject: duh begin 655 virus.exe<CR>...).
> Is that true?  If so, avcache needs to be smarter than it currently is.

I'd say that if so, outlook must not be used in a first place AT ALL, something
like

  /X-Mailer: Microsoft/  REJECT Do not use Microsoft products due to security reasons

And this IS a resonable restriction for any security-sensitive organization
including government etc.

> Felix

Regards,
 Michael.