Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple AV Vendors ignoring tar.gz archives
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 07 Feb 2005 15:32:20 -0500

James Eaton-Lee wrote:

For many SMEs, the distinction is irrelevant, as a significant number of
e-mail servers do *NOT* incorporate antivirus software designed with
gateway scanning in mind - they run desktop scanning tools on e-mail;
thus, for many companies, the distinction between 'gateway' and
'desktop' antivirus software is both, since one scanning engine and set
of definitions play the same role.
I think that the distinction that Nick was making was that any AV that is intended to do gateway scanning should implement this, which is implied by his whole "gateway scanners may have a problem with this..." point. If corporations are using desktop scanners as gateway scanners, then they're misusing the product. I could try to tow 3 tons of bricks with my little Honda Civic, but would it be Honda's fault if my engine gave out? I'd be misusing the product. 'nuff said.

Antivirus technology is something which even non-technical office staff are very
much aware of, and they base many aspects of their work on assumptions
such as the fact that if an antivirus scanner has not detected 'a virus'
in a file they have sent/downloaded/copied, that it is safe - although
they may not be at risk from a virus in an archive file that their
antivirus software does not detect, other people may.
Well, this is largely a perception problem. People think that a clean scan means that something is safe and that's wrong. It's not just wrong in AV, it's wrong in all security analysis issues. It's wrong in IDS. It's wrong in forensics. It's wrong in pen-testing.

What the outcome really means is, literally, that nothing that the product was designed to detect was detected. It means nothing more and nothing less.

However, people turn that into "the coast is clear" because people don't want to live in a constant state of paranoia and fear. By their nature, security and usefulness have to be balanced, at least in this way.

However, this all comes down to one point: If the AV can detect the malware uncompressed, but can't detect it compressed, then there's no problem. The malware has to be decompressed to be dangerous. That was Nick's point and it's 100% correct.
IF your AV software is functioning normally.
IF your AV software has proper real-time detection capabilities.
IF your AV is properly setup and scans the programs you run at the time they're read from the HD.
IF your AV will detect the malware uncompressed.

Then, as should be true for the vast majority of situations out there, the malware will be caught as it's being extracted from the archive. Or, barring detection on writes, when it's being executed in the first place.

If the problem you're pointing out is that SMEs are carrying out cost-cutting by not putting AV on their workstations and blindly relying on gateway scanning, then that SME has a much bigger set of problems than not having compressed tarball support on their gateway scanner, and their cost-cutting is ultimately going to cost them.

That SME has made a grave mistake and hopefully they'll learn their lesson.

Harking back to SMEs, who seem to be at the focus of most of the points
that I've made, it's quite possible that the inability to scan an
archive file could be extremely damaging to a business's reputation when
forwarded to a partner or customer

In what situation can you imagine where a person blindly forwards compressed (unscanned) content to a business partner?

Again, this can only be because of cost-cutting issues at the SME or laziness on the part of the SME's employee. Again, the problem is not the issue of the AV, but rather the fault of the SME for not being more careful.

- since you're obviously sure of your
positions on these issues, I shouldn't have to remind you that antivirus
software isn't about being theoretically perfect, it's about preventing
business loss.
This is the wrong way to think about it.

The goal of antivirus is, plainly said, to detect and block malware from running.

Preventing business loss is a side-effect of this. There are many reasons for keeping malware off of systems, business benefit is only one of them.

A hammer is a hammer. Its sole intent is to bash things (and, possibly, pry them out). It can be used to build houses, but it is not a house-builder.

Antivirus software is deployed based on many sets of assumptions.
Failure to live up to these assumptions is generally what causes the
most damage to businesses as protection they thought they had in place
fails - this issue is something which falls into this category;
antivirus software is, in the majority of SMEs, implemented by staff
without extensive experience in antivirus software, and they are highly
unlikely to be aware of issues such as this one (especially since in
most antivirus software, the option is given to 'scan archive files',
not 'scan archive files apart from the ones we don't understand') - not
a serious issue, but definitely a significant one, and one which should
be fixed upstream by antivirus vendors.

It is expressly impossible to determine what the uneducated, untrained, and willfully incapable of reading documentation will do when left to their own devices.

User-friendly software tries to cater to these users, by making things as simple as possible, but that does not mean that all of these conditions can be predicted. I'm very much in agreement that AV programs should support compressed tarballs and other archival formats. However, any organization that is bitten by this relatively small flaw will be bitten because they lack common sense.

The OEMs out there, along with the AV companies for obviously self-serving reasons, have gone a long way towards trying to spread the word that virus protection should be on all clients out there. This is not an arcane planning issue like, say, properly implementing an IDS. It's a common sense, best practices, no BS doctrine.

And there are no excuses for an organization that purposefully puts themselves into a position where a minor defect like this can harm their business.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]