[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-devel
Subject: Re: [Clamav-devel] mail scanning of Quoted-Printable
From: Bennett Todd <bet () rahul ! net>
Date: 2004-12-03 17:59:40
Message-ID: 20041203175940.GA13338 () rahul ! net
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Fair enough, I'll happily admit I didn't express myself clearly;
I've thought about this a lot, and failed to give all the
background.
I'll try again, if you don't mind (if you do, please feel free to
ignore me, I won't mind a bit:-).
The context I'm talking about is very specific: a large company, too
large to expect all employees to be technologically saavy and to use
well-designed MUAs. In this context, you want virus-scanning in the
firewall plant, stripping viruses out before they reach the clients,
one way or another. Clamav would be an example of a tool to deploy
that way, that's why I don't think this discussion is off-topic for
clamav-devel even though I'm not necessarily proposing that clamav
should be forced to grow into this role.
So you've got uncountable bazillions of random strangers out on the
internet, some of which are just worm-infested PCs and not even
human at all, and they're all firing stuff at your mail plant. Some
of it is important. No completely automated scanning process will
ever perfectly sort things into Good and Bad with 100% agreement
with the opinions of the recipients, so you have to take some care.
If you let all MIME through without canonicalizing, then you're
taking a really, really long gamble that the interpretation your A/V
scanner (clamav, e.g.) applies to non-standard-conforming encodings
will match that of any MUA that's in use in your shop. I would not
want to be there.
The alternative, that works well in practice (I know, I work at such
a place, helped with the development of the canonicalizer, sadly,
it's not open source) looks like this:
- Legit, strictly RFC compliant MIME goes through the frontend
rewrite untouched.
- Strictly invalid MIME is rewritten using whatever seems like the
most reasonable interpretation into valid MIME, and until you've
gotten a good batch of experience confirming your rewrite didn't
break anything, your MIME canonicalizer saves a copy in a holding
pen, for manual recovery when a user screams.
- The resulting correct MIME is run by the A/V scanner, which
quarantines things it [thinks it] recognizes, letting the
container msgs through with explanatory text plugged in place of
the naughty bits. Again, you can recover manually from
false-positives, plus it builds a corpus of malware for stats, for
testing new A/V scanners, etc.
- After the A/V scanner, you apply mime attachment type policies.
Executables (which means a _giant_ range of attachment types
for Windows, for some reason, most of which are things nobody
ever heard of) get stripped and held in quarantine. You keep a
fast-action trigger available so you can _very_ quickly quarentine
all office docs, for the next time an office doc macro worm gets
spreading. If you've really got a grip, and have the manpower, the
ideal fantasy is to actually enumerate the content types that are
_permitted_, rather than _forbidden_; however, this doesn't work
so well for the also-necessary required filename extension
processing, so you're in the business of trying to maintain a
mime.types database and depend on it as part of your security
policy implementation, urgle, that's no fun.
- Outbound email is somewhat similarly handled, with the difference
that after scrutiny, if any canonicalization, virus-stripping, or
forbidden attachment stripping happened at all, the butchered,
mangled remains are returned to the sender rather than
embarrassingly let out to the original recipient.
Hope this clarifies where I'm coming from.
-Bennett
[Attachment #5 (application/pgp-signature)]
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic