Educause Security Discussion mailing list archives
antivirus products
From: robin <mstubbs () FACSTAFF WISC EDU>
Date: Wed, 1 Aug 2007 11:15:48 -0500
Speaking of antivirus products, does anyone know of a product that they are certain can detect web based issues under the circumstances that the traffic comes to the pc via ssl? This is an issue with: email (pop,imap,web) protocols using thunderbird and outlook and web browsing using firefox and IE. This means that the product has to have knowledge of these applications to be able to insert itself in the loop after decryption and before sending it to some potentially vulnerable client and the ability to identify an exploit/virus that is not in a discrete file in the file system, eg in memory or in cache. Or it has to rig up some on-machine proxy in the loop. I am aware of the thunderbird feature to spool email files (in the case of POP only) to the filesystem for the purpose of enticing reluctant antivirus programs to look at that content. (Allow antivirus programs to quarantine individual incoming messages). But does it work if the pop was downloaded via ssl, ie, is it spooling decrypted content? Even if it did it is such a limited solution (thunderbird pop only). A product this institution uses can scan outlook using exchange as the web server but they do not provide an exchange email interface to their mail servers. All email is sent to and from the servers using ssl. I would be interested if people found an antivirus product that was actually detecting exploits/viri in the case of non-ssl web traffic also. I find that the typical antivirus product waits for individual files to be created in the file system and for whatever reason that doesn't work, either because the virus can foil the signatures and/or because by that time the virus has disabled the antivirus program and has put holes in the on-machine firewall. (yes there is server side malware scanning but much can evade its signatures or is put in the junk folder labeled as spam where the users can still get into it. There's only so much (not that much :-) server side signatures can do.)
Current thread:
- antivirus products robin (Aug 01)