include much needed antivirus products in FC2
Lamar Owen
lowen at pari.edu
Tue Jan 6 14:47:05 UTC 2004
[not off-list. While one list reader expressed a desire for it do be so,
another expressed a desire for it not to be so. There are still points to
consider, particularly the user aspect.]
On Monday 05 January 2004 07:55 pm, seth vidal wrote:
> > If I scan at the e-mail gateways, I accomplish at least these seven
> > things: 1.) I protect outgoing mail for outside people, thus limiting the
> > spread of worms if and when the desktop does get compromised;
> If your workstations are patched and kept patched in an automated way
> aren't you doing this as well?
See, I'm not just scanning outgoing. I'm stripping all outgoing executables.
Executable attachments are unsafe; here it is policy that executable
attachments are verboten. Thus:
> Is it likely your server will be patched before the workstation?
I'm stripping _Windows_ executables for and from my _Windows_ workstations
using a Linux server. If I'm stripping for Windows vulnerabilities (which I
might not be able to patch, depending upon the workstation: I have one
workstation that is still, due to a very expensive piece of software, limited
to no greater than Windows NT 4.0 SP3), then why do the patches installed on
the Linux server even matter? But to directly answer your question, yes, it
is more likely that the server will be patched first. Servers are more
important, since more than one user depends upon them. Just like when large
power outages occur, the power company brings up the transmission lines
first. Then they worry about substations, then primary, and then finally
secondary.
> Why not have the same infrastructure for supplying updates to both?
For Linux servers and Windows workstations?
> > 2.) Because of 1, I limit my liability exposure if one of my users
> > infects someone outside with a bad worm;
> liability to what? I've forgotten when was the last lawsuit for
> 'internet worm ravages the world"?
Which is no guarantee that it won't happen. But, with the current Homeland
Security aspects in the US, one might be open to criminal prosection for
gross negligence in not scanning all outgoing e-mail. Maybe not today; but
my job is to think about tomorrow.
> > 3.) Well over 99.99% of viruses come in via e-mail;
> Wow is that a real statistic or did you pick it fresh out of the air?
Anecdotal, plus given the fact that the only virus infection I have ever had
in ten years that was not borne by e-mail was a single case of Stoned. I
have, OTOH, had well over ten thousand e-mail viruses sent to my various
addresses of all my users. Thus, I can state that, in my case, it is 99.99%
e-mail viruses or better. I have received five thousand copies of Swen by
itself (yes, I know Swen is a Trojan and not a virus; AV tools still catch
it). And that is just my own address, not counting the other users at my
sites. I've lost count of the number of Klez variants that the e-mail
gateway has caught.
You might say that it's not fair to count each and every copy. I disagree; I
would count every single copy of Stoned, to use an ancient example, that I
found on floppies. Each infection source is to me an independent incident.
And each malware e-mail that comes in must be considered a separate infection
attempt, and thus a separate incident.
> This is an argument I can understand. But I don't have any of those
> users and I hope that dial up users are slowly slowly slowly diminishing
> from existence. I know they're not but I like to pretend :)
Pretend all you want. Even over ADSL Swen adds up in a hurry. Not to mention
the disk space in the users' mail spools that is wasted. While disk may be
cheap, upgrading disks is not (counting labor, downtime, etc). And, contrary
to spot's opinion, bandwidth is not so cheap that conserving bandwidth should
not be a goal. Bandwidth in some areas is $600 or more per month per megabit
(for lashed-up commercial circuits; ADSL might be cheap, but the OC's that
carry that traffic are not). I know; I've had a full-up OC-3 quoted from an
ISP at $98K per month.
If anything the number of dialup users is increasing. The percentage of
dialup users in the pool of total users may be decreasing, though.
> And gets a fair number of false positives but...
There are no false positives for executable attachments per our policy. So
that's not an issue for me, at least. My users have gotten accustomed to
that; we have special procedures for sending and receiving executables in a
secure manner on the rare chance that executables really need to be exchanged
(for the curious: PGP/GPG encryption). They much prefer that small
inconvenience to getting masses of executables, and they even like the fact
that Norton AV comes up far less often to interrupt their e-mail reading. I
guess that would be number eight:
8.) Each e-mail caught is one less time of clicking OK for the user. Clicking
OK a thousand times a day or week leaves a sour taste in the user's e-mouth.
Users like it when they don't have to think about their IT; and it is my job
to make IT as transparently useful as possible. E-mail AV scanning helps
IT's job; plus, you then have centralized statistics in how much work you
just saved the users. :-)
> Again, depending on your volume.
No, I don't believe so. You have to deal with the volume anyway; if you have
a simple 'kill all executable attachments' policy, and enough server capacity
to handle massive e-mail volumes, then the small percentage of non-executable
viruses/worms/trojans shouldn't put the server over the hill, load-wise.
> > Further, with Sophos Enterprise Manager you can have centralized desktop
> > scanner updates and management (as I'm sure NAV Enterprise also allows),
> > which gives you the best of both worlds.
> And it only costs $8trillion. Seriously sophos is prohibitively
> expensive and closed source, and provides their own perl and, and, and,
> and.... it's not something I'll be using anytime soon.
I just happen to have experience with Sophos, so I could realistically use it
as an example. For non-profits it's not too bad, campared to the labor cost
of keeping thousands of machines updated by hand. The desktop manager is
Windows, so being closed-source is not an issue for that piece.
But. again, I have to think of my users. I do astronomy here; astronomical
events tend to be once-in-a-lifetime things; if an astronomer misses an
observation, that observation cannot be redone. The small pain of setting up
dual AV scans is much less than the pain of having the telescope control
computer down for reinstallation during, say, a solar eclipse or a GRB
(gamma-ray burst). So, this decision can't be made just from the admin's
convenience; one must, as with all IT decisions, take into consideration the
user's pain if the system fails. How failure tolerant must the system be?
That is the question. Dual scanning increases the failure tolerance,
particularly when the two pieces of the system are diverse.
So, I would love it if FC2 included an AV scanner that could do both file
scanning for the desktop users as well as e-mail scanning for the server
user. A server doing backups can also scan for viruses during the backup,
which could put even more layers on, if you need that kind of fault
tolerance.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the devel
mailing list