[lug] Linux Virus Firewall

rm at mamma.varadinet.de rm at mamma.varadinet.de
Fri Jun 23 15:55:43 MDT 2000 

On Fri, Jun 23, 2000 at 02:34:00PM -0700, Glenn Ashton wrote:
> 
>>[...]
> 
> The need for Outlook, like all needs for end-user software is based on
> management.  If I could give everyone something different I would.

I know this too well. The one customer for whom i did set up the Linux
mail server actually only uses it because he spent such a lot of
money for the product that he can't 'afford' to just throw it out ...

> > I personally don't think that virus scanners on the gateway MTA
> > are worth spending much time. A vew thoughts about this:
> 
> I agree in part.  If you simply could filter attachments and send the
> mail containing them to a Linux "dead letter" office and open them from
> the safety of a Linux box that would save of lot of headaches.  Forward a
> message to the admin and the end user that questionable mail has been
> interepted and placed on a "safe system".

The problem here is the detection of 'bad' attachments. Once they
are PGP-encrypted there's little your filter can do.
BTW, of course there are several Linux solutions that do what you
want to do: 

 the last thing i had in my hands was a tool called 'mimedefang'
 (ah, here it is, it's a perl program that can be installed as
  a sendmail 'milter' (you need a newer version of sendmail for
  this, but this is a good idea anyway)). You should find it on
  freshmeat. If not i can try to find the URL--it's not in the
  readme file.

 There's also a software paket from some german programmer 
 (i forgot the name, sorry) that atempts to do the same. I
 wasn't to impressed with it but you might have a look at it
 too.

 Sophos Antivirus offers a virus scanner (not a 'malicious code'
 scanner) that can be wrapped in an email filter.

 BTW, some of these tools DO alter the contents of the mail,
 imho a big no-no. This will definitely break all sorts of
 digital signatures.

> > The best place to detect malicious code is the machine that's 
> > about to execute it. I've seen pretty good sandbox systems
> > running under WinOS for a decent price.
> 
> Yep, and in an ideal world I wouldn't have any Outlook in my environment.
> The key thing is that even with updated Antivirus stuff, users will open
> attachments.  Even when they know better.  

The nice thing about the sandbox approach is that you can install
the software so that normal users can't switch it off :-)
BTW, the sandboxes i saw weren't virus scanners. What they do is
the following: mark any data that is safed from some unsecure source
(i.e. web or mail) as 'dirty'. Whenever a user program touches this
'dirty' data some system functions (i.e. saving, modification of the
registry etc.) will be disabled. This is somehow similar to the
Java sandbox approach.


> No matter how hard you educate users, it just doesn't take sometimes.
> Using a cattle prod is probably not acceptable either.

Too bad, somehow i think this _would_ work (well, it does: after
ILOVEYOU most Win-users i know where very cautious. For about one week :-/

> I was just trying to see if anyone had tried something like this to shield
> a Windows environment from the evils of Windows viruses using the power of
> Linux.

Yes, as i said, i do use a linux box with a scanner, but ILOVEYOU went
thru it ... 

> Some of us have to use Linux where we can and still have to suffer in the
> Windows world.

You're not allone :-)

 Ralf

More information about the LUG mailing list