[Mimedefang] RFC: better virus scanner status reporting?

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Wed Aug 13 18:41:01 EDT 2003


On 2003-08-12 at 09:21:57+0200 Steffen Kaiser <skmimedefang at smail.inf.fh-bonn-rhein-sieg.de> wrote:

> Actually I do not understand this topic for the reasons already
> mentioned in various posts about the pros and cons of scanning
> archives at all.
> 
> There are plenty of reasons why to scan an archive can fail.  Most
> of all: You do not know if that is an archive at all.  Are you
> really drop all attachments of unknown type (I mean unknown _file_
> type, not MIME type)?

This is true: if I'm looking at an unknown file type, I have no way to
know whether it might be an archive, and if so, what it contains.

But practically speaking, if a virus is going to distribute itself
inside an archive, it's going to pick a well-known archive format (for
which most people have encoding/decoding software installed on their
desktops).  An esoteric archive format that no one knows about and
practically no software can decode is useless from the point of view
of spreading the virus infection.

> IMHO if you tell your customers/users that you scan archives or
> perform a deep scan of the documents, you take away responsibility
> from them to be aware themselves, you increase the "feeling" of
> security a lot without improving the security itself.

Unfortunately, it's been our experience that implementing *any*
antivirus measures gives users a false sense of security.

For example, when W32/Sobig-E hit, about a dozen or so people within
our organization managed to infect themselves before new virus
definitions were available for our desktop antivirus software.  They
opened the mail, extraction the ZIP file, launched WinZip, extracted
the virus to disk, and then executed it.

While we didn't comprehensively question the infected users as to why
they downloaded, extracted, and then executed the virus, at least a
few people sheepishly admitted to something like "I figured that if it
were a virus, that our virus scanner would catch it."

I see no evidence that scanning archives for viruses will make users
any more complacent than they (unfortunately) already are.

> <<There may still be a virus in it>> even if the virus scanner says,
> there is none!  No need for such category, because the virus topic
> by itself implies that.

While you can't be 100% certain that an attachment doesn't contain a
virus just because it checks clean, you can be more certain if the
virus scanner successfully checks all files than if the virus scanner
can't examine some of the files.

As I said in a previous message, admins who are intimately familiar
with their virus scanner will probably ignore $category and $action,
and instead base their decisions on $code and $VirusScannerMessages.
But for admins who are just looking at $action (and perhaps
$category), is just returning 'ok' for $action really the best thing
to do?

> E.G. consider how long it takes to get a new virus into the DB of
> the scanner.

Not a long time, really--it's usually a matter of hours.

James




More information about the MIMEDefang mailing list