ietf-asrg
[Top] [All Lists]

Re: [Asrg] DCC and IP checksums

2003-03-14 07:03:53
On Fri, 14 Mar 2003 00:39:03 PST, william(_at_)elan(_dot_)net said:

Additional thoughts on the issues included on how to verify that email is 
"virus free" and has been checked by anti-virus by the sender by using 
special certificate generated (automaticly) by antivirus based on content 
of email (simple hash) and based on its own certificate - that anti-virus 
certificate can of course be checked on antivirus website, so it creates 
fairly good trust system.

Just remember that this check done *by the sender* is close to useless:

1) As written, it doesn't contain any verification that a *current* template
of signatures was used - I've actually gotten mail that was stamped "this
mail certified virus-free by LlamaWare 1.2" and contained a virus anyhow,
because it's signature database was *literally* 2.5 years out of date.

2) Either the sending system has a virus, or it doesn't.  If it doesn't,
it doesn't matter if it got scanned.  If it does, I have no guarantee that
said scanner hasn't been fooled by a rootkit.

3) Now imagine a virus that injects itself and then forges a "virus free"
signature for itself (remember - if the virus scanner has enough info to
generate a cert, any malware that gets loose on that machine has enough info
to forge the same cert).

Now, to be fair, the outdated signature issue and the rootkit issue both
*DO* also apply at the local end.  On the other hand,  the local end is
under my control (well.. OK.. the guy in the next cube over ;) so I can
make informed decisions regarding whether to trust its opinions...

Attachment: pgp2DyKmsptHh.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>