Re: [EXIM] How about a Virus filter?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: patl
Date:  
À: Mark Seuffert (Pirates)
CC: exim-users
Sujet: Re: [EXIM] How about a Virus filter?
> Hi!
>
> patl@??? schrieb am 20 Oct 98, (you wrote):
>
> > This is exactly the sort of bloatware that does -not- belong in the
> > MTA. Virus detection should be done as close to the recipient as
> > possible so that the user can decide what to do with the infected
> > message.
>
> Why? If you have a system at a central point, this system could be used
> to filter unwanted or harmfull stuff. If you don't filter at the
> central point you have to filter everywhere, which means lot's more
> effort (!).... to keep virus pattern uptodate is easier at one point
> then at hundred workstations (as you suggested).


1)  You are assuming that everybody will always want all 'infected'
    messages or attachments to be blocked.


2) You are assuming that the filter will have no false positives.

3)  It generates a false air of security where users are less likely
    to be wary of anything that does make it through the filters.
    (Like new virii that the filter doesn't know about...)


4)  It ignores other paths of infection which do not go through a
    central point.


5)  It would cause major bloat in the MTA and significantly increase
    the overhead on every message processed.


6)  Exim is a wonderful hammer.  Virus transmission via e-mail
    isn't a nail.


> > Otherwise, how would you ever send a virus to a security
> > team for examination?
>
> As I told, there could be different "levels". Let's say mail accounts,
> which recieve everything unfiltered, or which recieve mails with a
> warning (if infected) or which recieve nothing (if infected) instead
> the orginator of the mail gets a automatic reply with a warning.
> I think the second would be what I prefer.


More data bloat and maintainance overhead in the mail server. Why
not leave it up to the user? Install a default setting for them and
let interested users deal with it themselves.

> > Furthermore,
> > keeping a virus detector up to date is at least as big of a project as
> > exim itself.
>
> No. For example think about McAffee virus scanners... you only have to
> download the newest virus pattern file (every month). Btw you would
> have the same problem if you protect each workstation, but there you
> have to do updates at several points.


Obtaining the information to keep the virus pattern file updated for
new virii is as big a project as maintaining and extending a program.
Or were you planning on stealing McAffee's or Norton/Symantic's work
by using their pattern files? Isn't it a lot easier to simply install
their product on each MS-Windows box and let it protect -all- of the
paths of infection?


> > ALL users should be educated
> > about the dangers of executing attachments received in e-mail and news
> > articles;


> Users could be stupid, actually a lot are. :) A virus filter gives them
> a big aid.
> Your argument sound familiar to the spam argument... there is a problem
> (spam or virus) and providers/sysop do nothing against, because it
> could causes "technical" problems or costs time... but at the end it
> helps the users. Isn't this the argument which counts?


No. There is -no- excuse for failing to educate the users. It is
not possible to automatically completely shield them from possible
harm. You can't even come close without stepping on their rights
to privacy and free speach. Give them the tools to make their own
decisions and help them take responsibility for protecting themselves.



-Pat

--
*** Exim information can be found at http://www.exim.org/ ***