Hi there, On Nov 24, 2009, ANANT S ATHAVALE wrote:
> I was just testing an encrypted file using clamscan. Though it was > password protected, it could scan and tell that it is not infected > with Virus. When Clamav performs a scan and no virus is found, you know only that a pice of software told you that no virus was found. You do NOT know that there is no virus in there. You only know that if there is, a piece of software told you that ClamAV didn't find one. The reasons for not finding a virus range from there not being one there to find; to there being one that was not detected; to there being a fault in the software that tells you there isn't one when there are in fact three or four; to there being several that were ignored because of your configuration; to there being a couple of dozen that were not detected because your freshclam daemon couldn't establish an Internet connection this morning to update a database. And probably a couple of other reasons I haven't thought of yet. It's up to you how you use the information, but you must understand the difference between "no virus here" and "no virus found here" and you must in any case decide on how much confidence you place in the statement when it is made. That is your decision, and not one which can be made in a vacuum. > Then in that case, is it OK to allow encrypted files? That isn't up to me to decide. It's up to you. You need a policy. You can use ClamAV (and a lot of other tools) to help you implement a policy, but the policy is what you decide, not what anyone else says it should be. > I forgot to add that, we still receive mails having PDF files as > attachments and they are password protected (like Bank statements etc). I note you say that they are password protected. > Are such files really encrypted or they are just password protected? You said they were password protected. Without actually seeing them, I don't know how anyone here can be expected to know whether they are encrypted, password protected, or made of Swiss cheese. As an aside, if my bank sent me PDF files containing financial information such as bank statements by electronic mail then I would find a different bank. Unfortunately people with no IT background sometimes misuse computers in very creative ways, and that can result in the unwitting disclosure of valuable information. I have seen PDF files which were allegedly protected or encrypted and yet I have had no trouble reading them on any Linux box running 'xpdf'. Sometimes I've had suppliers think they were protecting sensitive business information with encryption, when in fact they were sending it Base64 encoded by email over the public Internet. People generally have no idea that information encoded that way may as well be sent in plain text. > If they are encrypted, how do we block such attachments also? You still need to decide your policy. If your policy will be to block "encrypted files" then you have to decide how to specify what you mean by "encrypted files" and when you receive a file, whether or not _you_ say that it is encrypted. There are many ways to obscure the content of a file, for example people hide things in image files which are not the images which are seen when the files are viewed with typical image viewers. There are many ways to encrypt information, from the simple substitution ciphers which can be cracked in a few milliseconds on a ZX81 to the state of the art techniques which using current technology can't be cracked within the expected lifetime of our planet. One view would be to say that no file which is not easily readable by your mail system administrators may be passed through your mail system. Be aware that if you get a suspicious mail message, you really can't trust anything in it except the headers that your own server put in. You especially can't trust things within the message that purport to tell you things about other parts of the message. It is very common for malicious mail to contain false statements. These falsehoods are not limited to things like a box of money found in an abandoned shed, they can be cleverly constructed to appear to be the work of a famous software package. If done well, it is practically indistinguishable from the 'real' thing. If you wish to strip attachments and permit the covering message to pass through the filters, MIMIEDefang for example can do that. It can do it whatever the attachments are, and whether they are obfuscated, encrypted or not. If you prefer, you could also reject such mail. That would be my choice most often. ClamAV cannot strip attachments, nor manipulate the mail in any way except for the odd header, but it can for example tell the MTA to quarantine mail so that you can look at it later if you have the time. Don't make work for yourself like that if you don't have to... On Nov 25 2009, ANANT S ATHAVALE wrote: > The mail received with PDF file says, the file is encrypted and key to > open it is first two characters of your name and first two digits of > your date of birth. Maybe there's another mail coming soon which asks for the second two characters of your name, the second two digits of your date of birth, the last nine digits of your social security number and your mother's maiden name. You could be treading on very thin ice if you knowingly permit your systems to be used in this way, but I don't know anything about the legal framework in which you are working. > Should we block such mails also as they may also contain virus? I would. Not knowing your terms of reference makes it difficult to say what you should do. In your situation, the issue of whether or not the mail does in fact contain a virus seems to me to be secondary to making the policy clear. Document it before you do anything else. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
