[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch
cgauch at digicon.net
Thu Jun 30 11:51:28 EDT 2005
WBrown at e1b.org wrote:
>
> Huh? program.exe is the same file, whether it is stored on a local drive,
> or extracted from an email. And if the same definition says it is a
> virus, I don't see why it would matter wherer it was.
>
> And anyone that runs a mail server not protected by AV is just hanging out
> a big old "KICK ME! sign. It doesn't matter whether it is an MX or a relay
> for internal users. The only mail servers that can get away without
> running AV are those that only accept connections from servers that *ARE*
> running AV and do not accept any connections from end-user devices.
Yes, program.exe is program.exe. However, program.exe *may* be legitimate
if is already on someone's PC local disk, so the desktop AV scanner has a
much higher probability of falsely identifying it as a virus (if, for
example, program.exe wasn't properly "digitally signed" by MS, or had some
sort of other *suspicious* characteristic). Quite to the contrary, the
email world is fortunately more cut & dry. In an email message, program.exe
would definitely be rejected (we don't accept Windoze executables as our
policy), and silently discard it if the AV scanner classified it as a virus.
Most desktop AV scanners must go beyond just the virus signature in
detecting viruses. Not only that, the AV scanner has a HUGE array of file
types that it must scan (DLLs, exes, bats, zips, etc. etc. etc.).
This basically goes back to what David Skoll was saying about false
positives on mail gateway AV virus scanners -- if the gateway AV scanner
says it's a virus, chances are near 0% that the message was falsely
classified.
I honestly wish it were true that *most*, if not all, MX hosts ran AV
scanners on properly configured mail servers. We deal with (on a frequent
basis) several hundred small to medium businesses that run their own mail
servers (MS Exchange, Groupwise, etc.), and MOST of them do NOT run *any* AV
software whatsoever, NOR do they have firewalls. I'm also inclined to say
that our clients are not in a small exclusive group, but rather, they
reflect the status quo of what most small to medium businesses do with their
mail (MX) servers. We have told our clients time and time again that the
lack of an AV scanner on their mail server gives them a big "KICK ME!" sign
with a bullseye on it, but the answer we always receive is "we don't want to
spend the $, and especially time on implementing/installing/deploying an AV
scanner", and they won't even consider open-source solutions because they
lack the technical wherewithal to configure and maintain it, and don't want
to pay for someone else to set it up for them, so that puts us in a
difficult situation.
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list