> > Dennis Peterson wrote: > > If you set up a file exchange server to allow uploads of these types > > of files, all you've done is provide a back door for dangerous files which > > could, if infected, impact systems outside yours. This could be considered > > irresponsible behavior. > > I didn't mean there would be a totally insecure, general-access file > server. I meant each individual could, if they wanted, use their own > personal web space to make a file available to someone else. With a > password to protect the relevant folder. > > > Renaming files won't work as file names have no significance in virus and > > dangerous file detection. You could run them through a reverser where the > > first byte becomes the last byte, and then undo that at the recipient end, > > or pass them through crypt to create a wholly obfuscated file. The encrypted > > files' name could be the password for reversing the encryption. Ok, so now > > you have a way to exchange dangerous files. Why bother with AV then? > > It sounds to me like you recommend never, ever allowing people to send > or receive files on your banned list. Not through email, not with > encrypted or password protected files, not by renaming files, and not by > using (private) HTTP/FTP space. Am I understanding you correctly?
This is exactly right. That is why it is a banned list. What is banned in SMTP is not necessarily banned with ftp/http. > > If that is indeed the case, what do you suggest if a customer still > wants to send an executable? Don't use the Internet at all? Burn a CD > and mail it? If you have user space locked down adequately and are sure you won't be sued for facilitating the transfer of hazardous files (unless you know they are not, best to assume they are), allow the users to build a dropbox. Require scp or sftp, for upload, and then password protect the data file in case the link to it gets loose in the wild. Require .htaccess or other authentication. Sweep the file area to remove files after an agreed upon time frame. > In my example case, we have a customer who is a programmer. He wants to > (needs to) send the results of his work to one of his clients. > > Don't get me wrong, I loathe spam and viruses. I try to run everything > here with extremely tight security. But I also have to provide useful > services to our clients. But not at the risk of others, would you not agree? > Security is always a compromise against usability. I hate it when > people compromise security way too much for usability -- Microsoft is an > excellent example of that -- but you can't have truly perfect security > without causing serious problems with usability. (ie, the only > perfectly secure computer is one you encase in cement and sink in the > ocean.) You just have to be smarter than the problem. dp _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
