>
> 2) The actual virus code may be hidden inside a wide number of
> packaging schemes; different mime encodings, compression formats,
> encryption formats, etc. It is impossible for a virus scanner to be
> able to read them all. Thus some known viruses can slip by because
> they're inside an unknown packaging scheme.
>
> Therefore, signature based scanners CANNOT be a 100% reliable method
> for preventing viruses.
>
Depends on what you want to put in place. Simple rule: no attachments get to a
MUA, they are removed and put into a secure file area. If they can be scanned
and found to have no potential to carry code then they are sanity checked and
may be picked up by their owner. If they can or do carry code then they must be
inspected by hand and then a signature checking virus scanner.
Sanity checks would include resonable headers and characters that are
printable.
The down side of this is you get many false hits. The good side is that while
the signature based systems are waiting for updates you have a pile of
.vbs or .exe files waiting to be looked at.
Solutions include both commercial and roll your own.
No solution is 100% but prescribing a solution that is only signature based
is not enough. Having to shut down email to a 3,000 user organization
due to the latest "love bug" attack will not win you friends.
Of course getting it right got me (and the rest of the team) a nice
polo shirt from Symantec.
