Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Anti-virus Control means blocking before scanning InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Anti-virus Control means blocking before scanning

Published: 2007-12-02
Last Updated: 2007-12-02 10:04:17 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Everyone deploys anti virus, and sometimes without spending sufficient thought as to how it should be intelligently deployed. In essence, anti virus products have very different features: some products are relatively more of a ‘blacklisting’ technology than others. It’s important for us to ensure AV only needs to work in those cases where we know it is most effective.

As a quick example, here is the Virustotal output for a recent malicious RAR file that was brought to my attention. RAR files are archives, similar to ZIP but with a higher compression grade:

AhnLab-V3 2007.11.24.0 2007.11.23 -
AntiVir 7.6.0.34 2007.11.25 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 7.5.0.503 2007.11.25 -
BitDefender 7.2 2007.11.25 -
CAT-QuickHeal 9.00 2007.11.24 -
ClamAV 0.91.2 2007.11.25 -
DrWeb 4.44.0.09170 2007.11.25 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5324 2007.11.24 -
Ewido 4.0 2007.11.25 -
FileAdvisor 1 2007.11.25 -
Fortinet 3.14.0.0 2007.11.25 -
F-Prot 4.4.2.54 2007.11.25 -
F-Secure 6.70.13030.0 2007.11.25 Exploit.Win32.WinRar.g
Ikarus T3.1.1.12 2007.11.25 Exploit.Win32.WinRar.g
Kaspersky 7.0.0.125 2007.11.25 Exploit.Win32.WinRar.g

McAfee 5170 2007.11.23 -
Microsoft 1.3007 2007.11.25 -
NOD32v2 2684 2007.11.25 -
Norman 5.80.02 2007.11.23 -
Panda 9.0.0.4 2007.11.25 -
Prevx1 V2 2007.11.25 -
Rising 20.19.61.00 2007.11.25 -
Sophos 4.23.0 2007.11.25 -
Sunbelt 2.2.907.0 2007.11.24 -
Symantec 10 2007.11.25 -
TheHacker 6.2.9.141 2007.11.24 -
VBA32 3.12.2.5 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.25 -
Webwasher-Gateway 6.0.1 2007.11.25 –

The vulnerability being exploited dated from 2005, but it appears most solutions did not have effective detection for it. This makes sense: security bugs have been found in several hundreds, if not more applications, and it would be very difficult for AV vendors to build in effective file format parsers for each of the affected file formats.

There’s also a good reason for them not to write such parsers: when implementing them for sometimes not too well described file formats, it’s easy to make security bugs in your own parsing code. This has been illustrated by several researchers, such as Thierry Zoller and Sergio Alvarez of n.Runs. They found several bugs in the parsing code, often leading to remote code execution for an attacker. Depending on where you scan, this could be your mail gateway or desktop.

The point of this diary is to illustrate the basis of the deployment of any gateway anti virus control should be that you enforce which file types are passed along to the internal clients. Does your organization actually need .RAR files to function?

Building a list of what type of file types you want to support organizationally, understanding each of them poses additional risk, should be the beginning of any implementation. The anti virus should then be configured accordingly to just drop anything that does not match this policy statement.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives