Home page logo

educause logo Educause Security Discussion mailing list archives

antivirus products
From: robin <mstubbs () FACSTAFF WISC EDU>
Date: Wed, 1 Aug 2007 11:15:48 -0500

Speaking of antivirus products, does anyone know of a product that they are certain can
detect web based issues under the circumstances that the traffic comes to the pc via
ssl? This is an issue with:
email (pop,imap,web) protocols using thunderbird and outlook
and web browsing using firefox and IE.

This means that the product has to have knowledge of these applications to be able
to insert itself in the loop after decryption and before sending it to some potentially
vulnerable client and the ability to identify an exploit/virus that is not in a discrete
file in the file system, eg in memory or in cache. Or it has to rig up some on-machine
proxy in the loop.
I am aware of the thunderbird feature to spool email files (in the case of POP only) to the
filesystem for the purpose of enticing reluctant antivirus programs to look at that
content. (Allow antivirus programs to quarantine individual incoming messages). But does
it work if the pop was downloaded via ssl, ie, is it spooling decrypted
content? Even if it did it is such a limited solution (thunderbird pop only). A product
this institution uses can scan outlook using exchange as the web server but they do not
provide an exchange email interface to their mail servers. All email is sent to and from
the servers using ssl.

I would be interested if people found an antivirus product that was actually detecting
exploits/viri in the case of non-ssl web traffic also. I find that the typical antivirus
product waits for individual files to be created in the file system and for whatever
reason that doesn't work, either because the virus can foil the signatures and/or because
by that time the virus has disabled the antivirus program and has put holes in the on-machine
(yes there is server side malware scanning but much can evade its signatures or is
put in the junk folder labeled as spam where the users can still get into it. There's only
so much (not that much :-) server side signatures can do.)

  By Date           By Thread  

Current thread:
  • antivirus products robin (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]