Everyone deploys anti virus, and sometimes without spending sufficient thought as to how it should be intelligently deployed. In essence, anti virus products have very different features: some products are relatively more of a ‘blacklisting’ technology than others. It’s important for us to ensure AV only needs to work in those cases where we know it is most effective.
As a quick example, here is the Virustotal output for a recent malicious RAR file that was brought to my attention. RAR files are archives, similar to ZIP but with a higher compression grade:
AhnLab-V3 2007.11.24.0 2007.11.23 -
The vulnerability being exploited dated from 2005, but it appears most solutions did not have effective detection for it. This makes sense: security bugs have been found in several hundreds, if not more applications, and it would be very difficult for AV vendors to build in effective file format parsers for each of the affected file formats.
There’s also a good reason for them not to write such parsers: when implementing them for sometimes not too well described file formats, it’s easy to make security bugs in your own parsing code. This has been illustrated by several researchers, such as Thierry Zoller and Sergio Alvarez of n.Runs. They found several bugs in the parsing code, often leading to remote code execution for an attacker. Depending on where you scan, this could be your mail gateway or desktop.
The point of this diary is to illustrate the basis of the deployment of any gateway anti virus control should be that you enforce which file types are passed along to the internal clients. Does your organization actually need .RAR files to function?
Building a list of what type of file types you want to support organizationally, understanding each of them poses additional risk, should be the beginning of any implementation. The anti virus should then be configured accordingly to just drop anything that does not match this policy statement.
Dec 2nd 2007
1 decade ago