include much needed antivirus products in FC2

Lamar Owen lowen at pari.edu
Tue Jan 6 14:47:05 UTC 2004 

[not off-list.  While one list reader expressed a desire for it do be so, 
another expressed a desire for it not to be so.  There are still points to 
consider, particularly the user aspect.]

On Monday 05 January 2004 07:55 pm, seth vidal wrote:
> > If I scan at the e-mail gateways, I accomplish at least these seven
> > things: 1.)	I protect outgoing mail for outside people, thus limiting the
> > spread of worms if and when the desktop does get compromised;

> If your workstations are patched and kept patched in  an automated way
> aren't you doing this as well?

See, I'm not just scanning outgoing.  I'm stripping all outgoing executables.  
Executable attachments are unsafe; here it is policy that executable 
attachments are verboten.  Thus:

> Is it likely your server will be patched before the workstation?

I'm stripping _Windows_ executables for and from my _Windows_ workstations 
using a Linux server.  If I'm stripping for Windows vulnerabilities (which I 
might not be able to patch, depending upon the workstation: I have one 
workstation that is still, due to a very expensive piece of software, limited 
to no greater than Windows NT 4.0 SP3), then why do the patches installed on 
the Linux server even matter?  But to directly answer your question, yes, it 
is more likely that the server will be patched first.  Servers are more 
important, since more than one user depends upon them.  Just like when large 
power outages occur, the power company brings up the transmission lines 
first. Then they worry about substations, then primary, and then finally 
secondary.

> Why not have the same infrastructure for supplying updates to both?

For Linux servers and Windows workstations?

> > 2.)	Because of 1, I limit my liability exposure if one of my users
> > infects someone outside with a bad worm;

> liability to what? I've forgotten when was the last lawsuit for
> 'internet worm ravages the  world"?

Which is no guarantee that it won't happen.  But, with the current Homeland 
Security aspects in the US, one might be open to criminal prosection for 
gross negligence in not scanning all outgoing e-mail.  Maybe not today; but 
my job is to think about tomorrow.

> > 3.)	Well over 99.99% of viruses come in via e-mail;

> Wow is that a real statistic or did you pick it fresh out of the air?

Anecdotal, plus given the fact that the only virus infection I have ever had 
in ten years that was not borne by e-mail was a single case of Stoned.  I 
have, OTOH, had well over ten thousand e-mail viruses sent to my various 
addresses of all my users.  Thus, I can state that, in my case, it is 99.99% 
e-mail viruses or better.  I have received five thousand copies of Swen by 
itself (yes, I know Swen is a Trojan and not a virus; AV tools still catch 
it).  And that is just my own address, not counting the other users at my 
sites.  I've lost count of the number of Klez variants that the e-mail 
gateway has caught.

You might say that it's not fair to count each and every copy.  I disagree; I 
would count every single copy of Stoned, to use an ancient example, that I 
found on floppies.  Each infection source is to me an independent incident.  
And each malware e-mail that comes in must be considered a separate infection 
attempt, and thus a separate incident.

> This is an argument I can understand. But I  don't have any of those
> users and I hope that dial up users are slowly slowly slowly diminishing
> from existence. I know they're not but I like to pretend :)

Pretend all you want.  Even over ADSL Swen adds up in a hurry.  Not to mention 
the disk space in the users' mail spools that is wasted.  While disk may be 
cheap, upgrading disks is not (counting labor, downtime, etc).  And, contrary 
to spot's opinion, bandwidth is not so cheap that conserving bandwidth should 
not be a goal.  Bandwidth in some areas is $600 or more per month per megabit 
(for lashed-up commercial circuits; ADSL might be cheap, but the OC's that 
carry that traffic are not).  I know; I've had a full-up OC-3 quoted from an 
ISP at $98K per month.

If anything the number of dialup users is increasing.  The percentage of 
dialup users in the pool of total users may be decreasing, though.

> And gets a fair number of false positives but...

There are no false positives for executable attachments per our policy.  So 
that's not an issue for me, at least.  My users have gotten accustomed to 
that; we have special procedures for sending and receiving executables in a 
secure manner on the rare chance that executables really need to be exchanged 
(for the curious: PGP/GPG encryption).  They much prefer that small 
inconvenience to getting masses of executables, and they even like the fact 
that Norton AV comes up far less often to interrupt their e-mail reading.  I 
guess that would be number eight:

8.)	Each e-mail caught is one less time of clicking OK for the user.  Clicking 
OK a thousand times a day or week leaves a sour taste in the user's e-mouth.  
Users like it when they don't have to think about their IT; and it is my job 
to make IT as transparently useful as possible.  E-mail AV scanning helps 
IT's job; plus, you then have centralized statistics in how much work you 
just saved the users. :-)

> Again, depending on your volume.

No, I don't believe so.  You have to deal with the volume anyway; if you have 
a simple 'kill all executable attachments' policy, and enough server capacity 
to handle massive e-mail volumes, then the small percentage of non-executable 
viruses/worms/trojans shouldn't put the server over the hill, load-wise.

> > Further, with Sophos Enterprise Manager you can have centralized desktop
> > scanner updates and management (as I'm sure NAV Enterprise also allows),
> > which gives you the best of both worlds.

> And it only costs $8trillion. Seriously sophos is prohibitively
> expensive and closed source, and provides their own perl and, and, and,
> and.... it's not something I'll be using anytime soon.

I just happen to have experience with Sophos, so I could realistically use it 
as an example.  For non-profits it's not too bad, campared to the labor cost 
of keeping thousands of machines updated by hand.  The desktop manager is 
Windows, so being closed-source is not an issue for that piece.

But. again, I have to think of my users.  I do astronomy here; astronomical 
events tend to be once-in-a-lifetime things; if an astronomer misses an 
observation, that observation cannot be redone.  The small pain of setting up 
dual AV scans is much less than the pain of having the telescope control 
computer down for reinstallation during, say, a solar eclipse or a GRB 
(gamma-ray burst).  So, this decision can't be made just from the admin's 
convenience; one must, as with all IT decisions, take into consideration the 
user's pain if the system fails.  How failure tolerant must the system be?  
That is the question.  Dual scanning increases the failure tolerance, 
particularly when the two pieces of the system are diverse.

So, I would love it if FC2 included an AV scanner that could do both file 
scanning for the desktop users as well as e-mail scanning for the server 
user.  A server doing backups can also scan for viruses during the backup, 
which could put even more layers on, if you need that kind of fault 
tolerance.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

More information about the devel mailing list