[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AntiVirus for sendmail

To: <misc@openbsd.org>
Subject: Re: AntiVirus for sendmail
From: "Orpheus" <orpheus@metempsychosis.com>
Date: Sat, 4 Jan 2003 14:52:27 +1030
References: <000d01c2b240$36e4f1a0$6672a8c0@support> <20030103101649.E17254@snew.com>

Still reading all replies to this thread, and I will reply in one E-mail to
thank each of you for the time you've spent on this. I've also read through
the archive and searched (of course - i'm not a bastard). I just wanted some
first-hand opinions, too.

I agree that Outlook has some really bad security problems. Problems with
executing code, which should have been fixed years ago. I say "should have",
because Microsoft appears to have addressed the same issues several times,
and Outlook + Express STILL execute code, and/or people find different
exploits.

I will say that Outlook is significantly better now that OE. This is mainly
because Outlook by default denies access to potentially dangerous files
(.inf .reg - you know the drill). However, I have more than once received
files from companies to unlock their trial software in the form of unzipped
.inf and .reg patches, and had a hell of a time getting past this Outlook
protection. In-the-field experience tells me that OE readily gets infected
by many more viruses than Outlook, and in terms of security I don't really
trust any Windows clients.

Nevertheless, Outlook is the chosen client for many of my customers. On my
own system, I use F-Secure AntiVirus, which I find excellent and in a small
town I was one of only a handfull who didn't get the Bugbear virus on
October 1st 2002. Other clients who had Norton, VET, and McAfee had their
virus checkers disabled by the virus because they had received the virus
before sig updates had downloaded. Norton was the worst affected. McAfee was
only partially broken, but left ineffective. AVG (free virus checker) and PC
Cillin appeared to be unbroken (these account for only 2-3% of clients,
however so it's not a good guideline).

So, yes, I agree with you. However, I would not even trust any Windows
E-mail client, and instead am opting for several levels of AV protection;
one at the server/gateway, and the F-Secure distributed AV on my existing
Windows network, with the interest of trialling solutions which may be
suitable for clients after being burnt in.

Only some clients can be coaxed away from Outlook, others will not be
coaxed. And personally I don't like Outlook. I would like to see Microsoft
and *many other companies* held more accountable for their coding! It seems
one can get away with anything if one has enough disclaimers ("DISCLAIMER:
This car may crash into objects for no apparent reason, breaks may fail -
This Car Company cannot be held accountable for said imperfections" e.g.).
However, a multi-level AV solution may be acceptable if costs can be kept
down.

Yes, AV on one Windows system will check attachments and will work most
times. But 2 or even 3 levels of AV will be more effective in the cases
where it fails. I have the same mentality with firewalls. You can protect
your entire network with a really good firewall, and not worry about
security on workstations behind that firewall, but would you? I would prefer
to have client workstations locked down a fair amount as well. Finally,
viruses are becoming much more sophisticated, and they will continue to do
so. I would prefer to over-protect rather than under.

orph


> Let's recall too, that there are no "EMail viruses."
> There are "Outlook Viruses."
>
> This was key when clients complained that they had to spend $5,000
> to protect their email.  Eudora doesn't execute code for you; nor
> Mozilla, PINE or Mutt.  Outbreak with rummage through badly broken
> MIME, seek out and run code that other clients don't even see as
> attachments.  Plus, Outlook will sometimes use an MS Proprietary
> attachment type that changes depending on version-du-jour.  Good
> luck seeing some of those - they slip through anything that looks
> for MIME and uuencoded stuff..
>
> So if you have 1 Windows machine, you need AV for that anyway.
> If it can check all incoming mail attachments (hooking into the
> mail client perhaps), then you should be set.
>
> You want to look for something that can get updated IMMEDIATELY,
> and that's where the McAfee and Trend tools were worth paying
> for at companies.  I've used the Sendmail MILTER versions of those,
> but Sendmail (Inc) only supports a couple OSs.

References:
- AntiVirus for sendmail
  - From: "Orpheus" <orpheus@metempsychosis.com>
- Re: AntiVirus for sendmail
  - From: Chuck Yerkes <chuck+obsd@2003.snew.com>

Prev by Date: Re: Cancelling a blocking read() from a different thread
Next by Date: Re: Compare pf with IPTables
Prev by thread: Re: AntiVirus for sendmail
Next by thread: Re: AntiVirus for sendmail
Index(es):
- Date
- Thread