Re: Multiple AV Vendors ignoring tar.gz archives

[James Eaton-Lee <james.mailing () gmail com>]

On Sun, 2005-02-06 at 17:51 +1300, Nick FitzGerald wrote:
> Did you miss the part of my message where I wrote:
>
>    Well, OK -- in a gateway scanner it is likely to be a terrible flaw.
>    Any vaguely competent gateway scanner should have basic knowledge of
>    all archive formats and should have an option to quarantine all
>    messages with archives in the formats it cannot unpack and inspect.
>    Sadly, most gateway scanners are not designed this way.  It is the
>    job of a gateway scanner to not let anything "dangerous" in and if
>    you cannot tell what something is, prudence says you keep it out, or
>    at least set it aside for more expert inspection.  
>
> Didn't that make you think I may have had an idea or two about the 
> border/inside distinction?

Not really - the crux of my argument is that you aren't applying what I
believe to be the correct weighting between border and client-based
scanning - you initially said in your initial message:

"Worse however, is the implication that missing unpacking abilities for 
some modestly common archive type is a terrible flaw in a scanner."

You then add 'Well, OK -- in a gateway scanner it is..' as an
afterthought - skipping down to the bottom of your message (and ignoring
the two jibes you make at my inability to understand and/or bother to
read your message, both of which were misspelt):

> BUT you have still missed the flaming obvious -- a desktop scanner does 
> not have to detect malware inside an archive.  As such, the malware is 
> neutered. 

Actually, I specifically addressed this - perhaps you're guilty of not
reading my message:

"Bearing all of these factors in mind, and also factoring the growing
reliability of SMEs on third-party and centralised antivirus scanning
for their mail (from external service providers via MX routing, and via
e-mail servers which aren't exchange which incorporate antivirus
scanning simply by calling the antivirus software on the server
itself),"

For many SMEs, the distinction is irrelevant, as a significant number of
e-mail servers do *NOT* incorporate antivirus software designed with
gateway scanning in mind - they run desktop scanning tools on e-mail;
thus, for many companies, the distinction between 'gateway' and
'desktop' antivirus software is both, since one scanning engine and set
of definitions play the same role. 

To make it painfully obvious:

i) obviously, the ability to scan exotic archive types isn't a huge
issue in desktop scanners where there is a separate gateway scanner at
work. I didn't make myself quite clear enough on this point

ii) point i is somewhat irrelevant for a) SMEs who don't employ separate
gateway scanners and/or use - essentially - a CLI interface to the
scanning engine for both purposes.

iii) client machines (in all enterprises) are, *to an extent* an unknown
quantity and *should not be replied upon* for virus scanning and
intrusion prevention; I don't think you disagreed with me here.

You also miss an important point, by assuming that antivirus software is
solely in place in order to prevent workstations from being infected -
at no point did I even implicitly state that this hole was likely to
cause the infection of thousands of hosts on a network. Antivirus
technology is something which even non-technical office staff are very
much aware of, and they base many aspects of their work on assumptions
such as the fact that if an antivirus scanner has not detected 'a virus'
in a file they have sent/downloaded/copied, that it is safe - although
they may not be at risk from a virus in an archive file that their
antivirus software does not detect, other people may. 

Harking back to SMEs, who seem to be at the focus of most of the points
that I've made, it's quite possible that the inability to scan an
archive file could be extremely damaging to a business's reputation when
forwarded to a partner or customer - since you're obviously sure of your
positions on these issues, I shouldn't have to remind you that antivirus
software isn't about being theoretically perfect, it's about preventing
business loss.

Antivirus software is deployed based on many sets of assumptions.
Failure to live up to these assumptions is generally what causes the
most damage to businesses as protection they thought they had in place
fails - this issue is something which falls into this category;
antivirus software is, in the majority of SMEs, implemented by staff
without extensive experience in antivirus software, and they are highly
unlikely to be aware of issues such as this one (especially since in
most antivirus software, the option is given to 'scan archive files',
not 'scan archive files apart from the ones we don't understand') - not
a serious issue, but definitely a significant one, and one which should
be fixed upstream by antivirus vendors.

regards,

 - James.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html