> Hi there,
> is there the possibility of adding an virus filter to exim? Maybe
> someone has a virus filter running, which rejects all incomming (and
> outgoing) infected mails. In think, the filter (or a script) has to
> unpack emails with different methods (uudecode/tgz/zip etc) and then
> pass it to the virus scanner....
This is exactly the sort of bloatware that does -not- belong in the
MTA. Virus detection should be done as close to the recipient as
possible so that the user can decide what to do with the infected
message. Otherwise, how would you ever send a virus to a security
team for examination? And what about false matches? The filter may
think it's found some MS-Windows virus; when the recipient knows that
the program is actually a perfectly safe bit of unix code? Furthermore,
keeping a virus detector up to date is at least as big of a project as
exim itself. (Although the focus would be on adding entries to the
virus definition files rather than on the code itself.)
A virus detector in the MUA is a reasonable tool; so long as it just
notifies of the possible match rather than attempting to remove the
message or attachment.
Attempting to invisibly and automatically filter out dangerous attachments
is -not- a substitute for social engineering. ALL users should be educated
about the dangers of executing attachments received in e-mail and news
articles; and what factors to consider when deciding whether or not to
risk it. Nor is it a substitute for frequent full-system virus scans
on each and every machine on your network. Depending on an e-mail virus
filter is something like locking your front door but leaving the back door
unlocked and the windows open.
Technical solutions aimed at e-mail and downloaded files should focus
on code-signing and other methods for assigning trust levels; and on
the use of Java and similar 'sandbox' environments that include run
time security checking.
> if this would catch at least 50% of
> the normal Windows macro viruses (to protect the stupid Windows
> "workstations"), it would be great! :)
The best way to protect Windows workstations from virii is to replace
Windows with unix. But various non-technical factors frequently make
that solution a non-starter. The second best way is to armor each and
every Windows box with a good virus scanner that will integrate with
the system and common tools (MUAs, browsers, etc.) to provide virus
checking and notification at appropriate points. Overall system scans
should be scheduled frequently. (If the machines are left on overnight,
daily scans are a good idea. Otherwise, depending on the disk size and
system speed, it is reasonable to check everytime the machine is turned
on.) Daily scans should also be done on any writeable MS-Windows-accessable
files which are served from unix machines.
And once the virus scanner has been set up and configured, you need to
keep the virus definition files up to date. I would suggest downloading
updates no less than once a month.
-Pat
--
*** Exim information can be found at
http://www.exim.org/ ***
