The changing assumptions about viruses in email

November 11, 2010

Once upon a time, back at the dawn of the virus age, viruses in email tended to come from actual people innocently sending around infected files. Somewhat later, they came from actual people having either their outgoing email modified by the virus or simply having their address books pillaged by the virus, which also borrowed their mail client.

Back in those halcyon days, it made sense to do things like clean viruses from messages (leaving the rest of the message intact) and to quarantine virus-contaminated email. When a virus was just a hitchhiker on a legitimate email message or a real correspondent's email account, the rest of a virus-contaminated message had value and so you wanted to preserve it.

Those days are long gone. Modern virus email is nothing more than a dangerous form of spam, where the entire message is the work of the virus. As such, modern virus contaminated email has no value. There is no point in preserving any part of it for human eyes, and if you do the only thing that you're doing is preserving some of the virus's payload. If your anti-virus software is on the ball the remaining payload cannot actually infect the user's computer, but it can still confuse them (for example, as it claims to be a message from your support organization about how their computer is infected with a virus) and this confusion is essentially intractable and inevitable.

The conclusion is clear to me: anti-virus software that does not completely remove all content of a virus contaminated message is using old and now-invalid assumptions. In the modern age, the only three things that anti-virus software should do is either bounce the message, discard the message, or replace the entire message with a note to the effect of 'there used to be a virus message here but we removed it'. Replacing only parts of the message is now wrong.

(The more I think about it, the more I would erase the Subject: as well as the entire message body.)

PS: possibly most modern anti-virus software does this and our software (or configuration) is just behind the times.

Written on 11 November 2010.
« Some yum tricks with distro-sync and --releasever
How os.path exposes some Python import weirdness »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Nov 11 23:46:41 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.