On Fri, 14 Mar 2003 00:39:03 PST, william(_at_)elan(_dot_)net said:
Additional thoughts on the issues included on how to verify that email is
"virus free" and has been checked by anti-virus by the sender by using
special certificate generated (automaticly) by antivirus based on content
of email (simple hash) and based on its own certificate - that anti-virus
certificate can of course be checked on antivirus website, so it creates
fairly good trust system.
Just remember that this check done *by the sender* is close to useless:
1) As written, it doesn't contain any verification that a *current* template
of signatures was used - I've actually gotten mail that was stamped "this
mail certified virus-free by LlamaWare 1.2" and contained a virus anyhow,
because it's signature database was *literally* 2.5 years out of date.
Certificate being included with email is certificate has antivirus
ceertificate as a parent (antivirus program signs the certificate, which
itself is signed by antivirus vendor). In order to "fake" it virus should
be really smart and have debugged code for that particular antivirus to
find how to do it. It would also assume that new certificate is issued by
antivirus vendor every time you download updated list of virus definitions
- and in fact the certificate is used to verify that downloaded list of
virus definitions is truly from antivirus vendor.
2) Either the sending system has a virus, or it doesn't. If it doesn't,
it doesn't matter if it got scanned. If it does, I have no guarantee that
said scanner hasn't been fooled by a rootkit.
I agree with you. As I said in the beginning none of my notes offer
complete solutions, but I examine techniques available - write pros &
cons and mark the ones that offer most possibility of success.
The system above combined with checking emails on the receiving end (and
sending only the link to suspicious attachment) offers very good chance of
of never letting virus be delivered even if client does not have antivirus
program (though it would still be recommended that they do).
3) Now imagine a virus that injects itself and then forges a "virus free"
signature for itself (remember - if the virus scanner has enough info to
generate a cert, any malware that gets loose on that machine has enough info
to forge the same cert).
Virus has to be very very smart to be able to do this and would have to
know howto generate signatures for each version of antivirus program and
each antivirus program user may have.
Now, to be fair, the outdated signature issue and the rootkit issue both
*DO* also apply at the local end. On the other hand, the local end is
under my control (well.. OK.. the guy in the next cube over ;) so I can
make informed decisions regarding whether to trust its opinions...
The signature has less trust built into it then scanning it locally. But
it helps nevertheless for those who do not have antivirus installed.
People should still buy and install antiviruses so that they can scan
incoming email and also scan and sign outgoing email as well.
--
William Leibzon
Elan Communications Inc.
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg