On Fri, 09 Apr 2004 09:05:04 -0500 Jeff Nelson <stutterstutt at comcast.net> wrote: > I don't get this reasoning. Yes, executables carry viruses. But how > is it a good idea to tell people to use a back door communication > mechanism that subverts the virus scanners? How do you ensure that > the ftp dropbox doesn't contain infected files? Not FTP, but very controlled upload/download over SSL with authentication that I control. And no, I cannot guaruntee that they don't upload or download an infected file, that would be the job of their client scanner, or I could easily add scanning of uploaded files with ClamAV as well, which I probably should now that I think of it. So actually I could guaruntee that they don't upload infected files. > Second, there are more than just .exe and .zip executables to worry > about. Your users (and virus writers) are eventually going to figure > this out, so sooner or later you'll have to extend your filter to > exclude more file types. For example, WinZip supports .arj and .tar > archive formats. These aren't as popular as .zip, so they aren't > used as much, but I wouldn't be surprised to see virus payloads > being vectored through these file types, because WinZip will > automatically recognize them. Yeah, which is why after the blocking at the SMTP level, it still goes to the virus scanner to look for .BAT, .VBS, etc. I would have no problem blocking .tar, .bz2, .z, .rar whatever. My arguement is that most Outlook users don't send this stuff around intentionally, those who actually know what bunzip2 is will probably have shell access. > Finally, as for the benefit of "significantly reducing the load on > your AV," it seems to me that this is a false economy. The point of > the scanner is to detect viruses. What's the cost if one gets > through the back door channel? Certainly it is, which is why I still use it, but if the MTA can reject before even bring the AV into the picture, why not? Especially given that the virus scanner I use ClamAV + Qmail-Scanner does not exactly have the greatest track record with security (frequent releases, buggy perl programming) whereas the MTA (qmail) is extremely secure. I still use the virus scanner, and based on this conversation I have added additional scanning to all uploaded files in my "back door channel". > Can you explain more why this is a good idea? I'd really like to > understand. HTH. Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list