[Mimedefang] Virus statistics (was: One that the default filter missed...)
Michael D. Sofka
sofkam at rpi.edu
Fri May 24 10:35:57 EDT 2002
At 04:09 PM 5/23/2002 -0500, Mark Roedel wrote:
>I allow attachments of type audio/x-wav *IF* the file actually has an
>extension of .wav. (Which might not work on every conceivable
>permutation, but would have caught this one anyway.) I do the same
>thing for image/jpeg and several other types.
I have been keeping logs since the end of February and out of the
260 or so audio/x-wav files coming through the system each day,
maybe 0 or 1 is *not* a virus. And, check my sig, this is
at a 4 year technical school with 5k undergrads.
YMMV, but, at least here, audiophiles use peer-to-peer to exchange
music, not email. Blocking audio/x-wav email attachments
is a very effective strategy.
Some other data: 95% or more of executables (pif,scr,bat,exe,com) are
viruses. 6-7% of all attachments are viruses during the week. On weekends,
about 20-30% of attachments contain viruses. We're using Sophos to
scan all mail for viruses, and comparing the results to heuristic checks.
Heuristics along are missing 20-80% of viruses.
Based on the data I've collected, I would recommend: reject all .exe, .com,
.pif, .bat, .scr and .lnk extensions, and all application/mixed, audio/x-midi
and audio/x-wav types. That will take care of 98% of viruses with very
few false positives. If people need to share executables, tell them about
ftp, http, smb, p2p, etc.
If you can't reject executables outright, you have to run a
virus scanner. If your time is important to you, buy a commercial
scanner. Then, scan every fragment of file that MIMEDefang can
unpack regardless of it's name or extension.
Even then, I would not recommend opening executable attachments
and would scan anything else with an up to date desktop scanner
(preferably, a different scanner from that on the server).
I'm paranoid about this (hey, it runs in the family). But, I do still see
viruses slip through....
Mike
--
Michael Sofka sofkam at rpi.edu
CCT Sr. Systems Programmer email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
More information about the MIMEDefang
mailing list