| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: james.mailing at gmail.com (James Eaton-Lee) Subject: Multiple AV Vendors ignoring tar.gz archives On Sun, 2005-02-06 at 17:51 +1300, Nick FitzGerald wrote: > Did you miss the part of my message where I wrote: > > Well, OK -- in a gateway scanner it is likely to be a terrible flaw. > Any vaguely competent gateway scanner should have basic knowledge of > all archive formats and should have an option to quarantine all > messages with archives in the formats it cannot unpack and inspect. > Sadly, most gateway scanners are not designed this way. It is the > job of a gateway scanner to not let anything "dangerous" in and if > you cannot tell what something is, prudence says you keep it out, or > at least set it aside for more expert inspection. > > Didn't that make you think I may have had an idea or two about the > border/inside distinction? Not really - the crux of my argument is that you aren't applying what I believe to be the correct weighting between border and client-based scanning - you initially said in your initial message: "Worse however, is the implication that missing unpacking abilities for some modestly common archive type is a terrible flaw in a scanner." You then add 'Well, OK -- in a gateway scanner it is..' as an afterthought - skipping down to the bottom of your message (and ignoring the two jibes you make at my inability to understand and/or bother to read your message, both of which were misspelt): > BUT you have still missed the flaming obvious -- a desktop scanner does > not have to detect malware inside an archive. As such, the malware is > neutered. Actually, I specifically addressed this - perhaps you're guilty of not reading my message: "Bearing all of these factors in mind, and also factoring the growing reliability of SMEs on third-party and centralised antivirus scanning for their mail (from external service providers via MX routing, and via e-mail servers which aren't exchange which incorporate antivirus scanning simply by calling the antivirus software on the server itself)," For many SMEs, the distinction is irrelevant, as a significant number of e-mail servers do *NOT* incorporate antivirus software designed with gateway scanning in mind - they run desktop scanning tools on e-mail; thus, for many companies, the distinction between 'gateway' and 'desktop' antivirus software is both, since one scanning engine and set of definitions play the same role. To make it painfully obvious: i) obviously, the ability to scan exotic archive types isn't a huge issue in desktop scanners where there is a separate gateway scanner at work. I didn't make myself quite clear enough on this point ii) point i is somewhat irrelevant for a) SMEs who don't employ separate gateway scanners and/or use - essentially - a CLI interface to the scanning engine for both purposes. iii) client machines (in all enterprises) are, *to an extent* an unknown quantity and *should not be replied upon* for virus scanning and intrusion prevention; I don't think you disagreed with me here. You also miss an important point, by assuming that antivirus software is solely in place in order to prevent workstations from being infected - at no point did I even implicitly state that this hole was likely to cause the infection of thousands of hosts on a network. Antivirus technology is something which even non-technical office staff are very much aware of, and they base many aspects of their work on assumptions such as the fact that if an antivirus scanner has not detected 'a virus' in a file they have sent/downloaded/copied, that it is safe - although they may not be at risk from a virus in an archive file that their antivirus software does not detect, other people may. Harking back to SMEs, who seem to be at the focus of most of the points that I've made, it's quite possible that the inability to scan an archive file could be extremely damaging to a business's reputation when forwarded to a partner or customer - since you're obviously sure of your positions on these issues, I shouldn't have to remind you that antivirus software isn't about being theoretically perfect, it's about preventing business loss. Antivirus software is deployed based on many sets of assumptions. Failure to live up to these assumptions is generally what causes the most damage to businesses as protection they thought they had in place fails - this issue is something which falls into this category; antivirus software is, in the majority of SMEs, implemented by staff without extensive experience in antivirus software, and they are highly unlikely to be aware of issues such as this one (especially since in most antivirus software, the option is given to 'scan archive files', not 'scan archive files apart from the ones we don't understand') - not a serious issue, but definitely a significant one, and one which should be fixed upstream by antivirus vendors. regards, - James.
Powered by blists - more mailing lists