[Mimedefang] Virus statistics (was: One that the default filter missed...)

Michael D. Sofka sofkam at rpi.edu
Fri May 24 10:35:57 EDT 2002


At 04:09 PM 5/23/2002 -0500, Mark Roedel wrote:
>I allow attachments of type audio/x-wav *IF* the file actually has an
>extension of .wav.  (Which might not work on every conceivable
>permutation, but would have caught this one anyway.)  I do the same
>thing for image/jpeg and several other types.

I have been keeping logs since the end of February and out of the
260 or so audio/x-wav files coming through the system each day,
maybe 0 or 1 is *not* a virus.  And, check my sig, this is
at a 4 year technical school with 5k undergrads.

YMMV, but, at least here, audiophiles use peer-to-peer to exchange
music, not email.  Blocking audio/x-wav email attachments
is a very effective strategy.

Some other data:  95% or more of executables (pif,scr,bat,exe,com) are
viruses.  6-7% of all attachments are viruses during the week.  On weekends,
about 20-30% of attachments contain viruses.   We're using Sophos to
scan all mail for viruses, and comparing the results to heuristic checks.
Heuristics along are missing 20-80% of viruses.

Based on the data I've collected, I would recommend: reject all .exe, .com,
.pif, .bat, .scr and .lnk extensions, and all application/mixed, audio/x-midi
and audio/x-wav types.  That will take care of 98% of viruses with very
few false positives.  If people need to share executables, tell them about
ftp, http, smb, p2p, etc.

If you can't reject executables outright, you have to run a
virus scanner.  If your time is important to you, buy a commercial
scanner.  Then, scan every fragment of file that MIMEDefang can
unpack regardless of it's name or extension.

Even then, I would not recommend opening executable attachments
and would scan anything else with an up to date desktop scanner
(preferably, a different scanner from that on the server).

I'm paranoid about this (hey, it runs in the family).  But, I do still see
viruses slip through....

Mike

--
Michael Sofka                          sofkam at rpi.edu
CCT Sr. Systems Programmer  email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.    http://www.rpi.edu/~sofkam/




More information about the MIMEDefang mailing list