ged at jubileegroup
Nov 26, 2009, 4:32 AM
Post #7 of 7
(796 views)
Permalink
|
Hi there,
On Nov 24, 2009, ANANT S ATHAVALE wrote:
> I was just testing an encrypted file using clamscan. Though it was
> password protected, it could scan and tell that it is not infected
> with Virus.
When Clamav performs a scan and no virus is found, you know only that
a pice of software told you that no virus was found. You do NOT know
that there is no virus in there. You only know that if there is, a
piece of software told you that ClamAV didn't find one.
The reasons for not finding a virus range from there not being one
there to find; to there being one that was not detected; to there
being a fault in the software that tells you there isn't one when
there are in fact three or four; to there being several that were
ignored because of your configuration; to there being a couple of
dozen that were not detected because your freshclam daemon couldn't
establish an Internet connection this morning to update a database.
And probably a couple of other reasons I haven't thought of yet.
It's up to you how you use the information, but you must understand
the difference between "no virus here" and "no virus found here" and
you must in any case decide on how much confidence you place in the
statement when it is made. That is your decision, and not one which
can be made in a vacuum.
> Then in that case, is it OK to allow encrypted files?
That isn't up to me to decide. It's up to you. You need a policy.
You can use ClamAV (and a lot of other tools) to help you implement a
policy, but the policy is what you decide, not what anyone else says
it should be.
> I forgot to add that, we still receive mails having PDF files as
> attachments and they are password protected (like Bank statements etc).
I note you say that they are password protected.
> Are such files really encrypted or they are just password protected?
You said they were password protected. Without actually seeing them,
I don't know how anyone here can be expected to know whether they are
encrypted, password protected, or made of Swiss cheese. As an aside,
if my bank sent me PDF files containing financial information such as
bank statements by electronic mail then I would find a different bank.
Unfortunately people with no IT background sometimes misuse computers
in very creative ways, and that can result in the unwitting disclosure
of valuable information. I have seen PDF files which were allegedly
protected or encrypted and yet I have had no trouble reading them on
any Linux box running 'xpdf'. Sometimes I've had suppliers think they
were protecting sensitive business information with encryption, when
in fact they were sending it Base64 encoded by email over the public
Internet. People generally have no idea that information encoded that
way may as well be sent in plain text.
> If they are encrypted, how do we block such attachments also?
You still need to decide your policy. If your policy will be to block
"encrypted files" then you have to decide how to specify what you mean
by "encrypted files" and when you receive a file, whether or not _you_
say that it is encrypted. There are many ways to obscure the content
of a file, for example people hide things in image files which are not
the images which are seen when the files are viewed with typical image
viewers. There are many ways to encrypt information, from the simple
substitution ciphers which can be cracked in a few milliseconds on a
ZX81 to the state of the art techniques which using current technology
can't be cracked within the expected lifetime of our planet. One view
would be to say that no file which is not easily readable by your mail
system administrators may be passed through your mail system.
Be aware that if you get a suspicious mail message, you really can't
trust anything in it except the headers that your own server put in.
You especially can't trust things within the message that purport to
tell you things about other parts of the message. It is very common
for malicious mail to contain false statements. These falsehoods are
not limited to things like a box of money found in an abandoned shed,
they can be cleverly constructed to appear to be the work of a famous
software package. If done well, it is practically indistinguishable
from the 'real' thing.
If you wish to strip attachments and permit the covering message to
pass through the filters, MIMIEDefang for example can do that. It can
do it whatever the attachments are, and whether they are obfuscated,
encrypted or not. If you prefer, you could also reject such mail.
That would be my choice most often.
ClamAV cannot strip attachments, nor manipulate the mail in any way
except for the odd header, but it can for example tell the MTA to
quarantine mail so that you can look at it later if you have the time.
Don't make work for yourself like that if you don't have to...
On Nov 25 2009, ANANT S ATHAVALE wrote:
> The mail received with PDF file says, the file is encrypted and key to
> open it is first two characters of your name and first two digits of
> your date of birth.
Maybe there's another mail coming soon which asks for the second two
characters of your name, the second two digits of your date of birth,
the last nine digits of your social security number and your mother's
maiden name. You could be treading on very thin ice if you knowingly
permit your systems to be used in this way, but I don't know anything
about the legal framework in which you are working.
> Should we block such mails also as they may also contain virus?
I would. Not knowing your terms of reference makes it difficult to
say what you should do. In your situation, the issue of whether or
not the mail does in fact contain a virus seems to me to be secondary
to making the policy clear. Document it before you do anything else.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
