Our current email anti-virus system is probably ineffective now

January 27, 2015

Last month I noticed that classical viruses by email were still around, despite a past history of low virus detection by our main mail system. Well, funny you should mention that. As it happens, late last week the whole university was battered a large tide of infected phish/virus emails over several days (and we had several infections ourselves). If our anti-spam system is any good at detecting viruses, I'd expect a serious uptick in virus detection because the actual rate of virus emails was clearly up significantly.

The good news is that there is a definite uptick over the two days with the bulk of the attack. The bad news is that it is not to very high numbers; 81 Monday, 95 Tuesday, 112 Wednesday, 101 Thursday, and 47 Friday. A normal weekday appears to run around 50 viruses detected a day. And it's highly likely that at least some viruses made it through this screening to reach our users.

(Note that some of these 'viruses' are actually phish spam. It's possible that they're phish spam with executables attached; I don't know.)

It's possible that some of the viruses were detected as spam, but there are two strikes against this. The first is that detected spam volume does not seem to fluctuate much over those days. The second is that detecting viruses as spam instead is actually bad for us; if it's detected as an actual virus, the anti-spam system removes the viral content instead of merely marking the Subject: line.

Unfortunately I don't know what options we have, and also how much work it's worth putting into this in general. After all, if our actual virus email rate is quite low outside of anomalies such as this it probably doesn't matter that our current anti-spam system seems at best so-so at detecting viruses. We could plow a lot of time and effort into evaluating (free) options like ClamAV only to find out blocking only a small extra amount of email, which hardly seems worth it.

(I have complicated attitudes on anti-virus stuff, but the short summary is that I think it's very dangerous to put much emphasis on email filtering keeping them out.)


Comments on this page:

Chris, what are your thoughts on a whitelisting approach to applications (such as AppLocker on Windows)? My thoughts are that it helps stop the 'always playing catch-up' mentality of signature-based protection.

Thanks for the great blog!

By cks at 2015-01-27 10:54:12:

I'm dubious about whitelisting approaches in anything except extremely controlled and unchanging environments. Part of it is the annoyance issue and part of it is users becoming habituated to what are basically false alerts so that they just blindly say 'go ahead' for everything they're asked to approve.

(And a third part is that what computers see as separate programs and applications are often not what people see. This increases the chances that people will blindly approve things.)

However I have the luxury of all of this being theoretical, as I'm not responsible for any end user machines (except my workstation and so on, and that runs Linux).

Written on 27 January 2015.
« Some notes on keeping up with Go packages and commands
A thought about social obligations to report bugs »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jan 27 01:36:54 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.