Hi there,
On Thu, 31 May 2012, Jason Haar wrote:
On 30/05/12 23:17, G.W. Haywood wrote:
Wouldn't more spamtraps that feed virus samples directly to AV
analysts help?
Are you new to this? :) Just think about the numbers involved.
I think you're been a bit harsh there.
Perhaps you're right. Apologies, it had been a bad day (and this is
another one). But it really seems to me like this is (a) making rods
for your own backs and (b) addressing a non-problem. Executables in
mail are the least of my problems. The vast majority of malicious
executables that I see reach their target get in through other means,
mostly by browsing. In my experience, far more links to malicious
executables appear in mail than do the actual executables themselves.
Something like a factor of a hundred. It's much easier to trick a
computer user into clicking on a malicious link than it is to get a
malicious executable past something like ClamAV. The most recent
example I can think of was a user downloading 'WinZip' from CNET,
which riddled the machine with adware, rendering it unusable.
Take a look at this for example:
http://insecure.org/news/download-com-fiasco.html
But look at it another way then: there's an inexhaustible supply of
malware, and a relatively limited set of useful executable stuff. If
you try the 'accept everything that is not bad' approach, you *will*
be exhausted and you *will* miss something which *will* cause trouble.
If you're wedded to the idea of permitting executables in mail (which
I personally think is insane if you have any Windows boxes inside your
firewalled network) then does it not make sense to simply get in touch
with the presumably relatively small number of people who are likely
to be sending these executables as and when they want to send them,
and arrange something simple (such as a particular 'Subject:' line)
which will flag to your mail filters that this message is NOT to go
into the bit-bucket with all the other executables, but into some
quarantine place where a human can give it a once over?
It will be a lot less work.
You might be asking yourself "Then why does he use ClamAV?", which is
a perfectly fair question. I use it for all these sigs:
ged@mail4:~$ l /etc/mail/clamav/*db | cut -b49-
/etc/mail/clamav/securiteinfobat.hdb
/etc/mail/clamav/spam.ldb
/etc/mail/clamav/winnow.complex.patterns.ldb
/etc/mail/clamav/securiteinfopdf.hdb
/etc/mail/clamav/securiteinfoelf.hdb
/etc/mail/clamav/securiteinfosh.hdb
/etc/mail/clamav/securiteinfooffice.hdb
/etc/mail/clamav/honeynet.hdb
/etc/mail/clamav/winnow_phish_complete.ndb
/etc/mail/clamav/spamimg.hdb
/etc/mail/clamav/lott.ndb
/etc/mail/clamav/phish.ndb
/etc/mail/clamav/securiteinfo.hdb
/etc/mail/clamav/securiteinfohtml.hdb
/etc/mail/clamav/scam.ndb
/etc/mail/clamav/junk.ndb
/etc/mail/clamav/rogue.hdb
/etc/mail/clamav/securiteinfodos.hdb
/etc/mail/clamav/scamnailer.ndb
/etc/mail/clamav/winnow_spam_complete.ndb
/etc/mail/clamav/winnow_malware_links.ndb
/etc/mail/clamav/winnow_malware.hdb
/etc/mail/clamav/INetMsg-SpamDomains-2m.ndb
/etc/mail/clamav/spear.ndb
/etc/mail/clamav/jurlbl.ndb
/etc/mail/clamav/jurlbla.ndb
/etc/mail/clamav/mbl.ndb
Some of them 'kick serious butt' as I think someone on here put it a
while ago. But if anything looks even vaguely like an executable it
doesn;'t get scanned by ClamAV here. It gets a 5.7.1. and an iptables
entry all of its own. I can't remember the last time a virus actually
got as far as being scanned by one of my ClamAV daemons.
Finally there's an alternative, that is to ditch all the Windows boxes.
My experience of doing that is, let's say, patchy. But I'm working on
it, one step at a time. The first step was easy, there are no Windows
boxes in my own business network. The second step hasn't been so easy
and I've been on the journey for over ten years. It's taken that long
to replace two out of about thirty Windows machines in one customer's
business, but the two Directors using those machines now haven't had a
virus on their machines since they started using Linux. Previously it
was approaching one a week.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
