Thanks Matt,
This is exactly the point I was trying to make. The Anti Virus vendors (and others i.e. MS- see Outlook) should not totally prevent a user from taking a course of action (unless it is a know danger), warn by all means but blocking completely is unreasonable. I would expect the subscribers to this list for example to be more computer literate than your average home user and therefore fully aware of the possible dangers of clicking on that link. If we choose to do it anyway that's our lookout. When we are developing our software for file transmissions to BACS (the UK banks electronic funds clearing house) the following approach is adopted:
If a problem is found which would prevent the payments being processed e.g. the bank details are invalid the user is told they cannot proceed i.e. the action is blocked.
With AV software this would be equivalent to preventing access to a virus infected file.
If a problem is found that does not prevent the payments but which may not have the expected results e.g. they have requested a money transfer to take place on a weekend (BACS will process the payment on the next available working day automatically) then we warn the user of the possible results of their decision (ie the payment will be made later than the date they have chosen) and then leave it to them to decided if they want to carry on or not.
With AV software this would be like warning of a spoofed URL in an RTF document, the user can then decide if they want to follow the link anyway. Zone labs firewall- Zone Alarm handles this kind of situation very well. If you try to open a file it has quarantined it asks you what you want to do- Run, Save as, Inspect with Notepad, or Do not run.
I think you get the point and we seem to be getting further and further away from the subject of the list.
Enough ranting.
Rick you are entitled to your opinion but I think the consensus is that anti virus vendors should keep clear or change their approach when it comes to URL spoofing.
Hope everybody has an uneventful (from a support perspective) weekend.
Regards,
Adrian
| Matt <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 16/01/2004 05:50
|
|
Rick,
The error that you reported from Panda is described by Panda as follows:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=43353&sind=0
"Exploit/URLSpoof is a vulnerability exploit. It is not categorized as a virus, worm or Trojan. To be more precise, it is code written in the HTML language, which is included in the body of a message or of a web page in order to exploit a vulnerability in the browser Internet Explorer."
This particular "exploit" was discovered in late December and it consists of a URL encoded non-printing character in a link which can cause IE to not display the actual URL of the site after following the link. Here's the page of the site that explains it:
http://www.zapthedingbat.com/security/ex01/vun1.htm
I'd post an example, but I wouldn't want to trip Panda and cause you to not be able to see a legitimate message :) If you're using Declude JunkMail Pro v1.77i7+, you can generally protect your customers from such things with the following filters (as well as others of course):
http://www.mailpure.com/software/decludefilters/zapthedingbat/ZapTheDingbat_v2-1-0.zip
http://www.mailpure.com/software/decludefilters/obfuscation/Obfuscation_v2-1-0.zip
I think what both I and Scott were suggesting was that antivirus programs should be used to protect computers from viruses and not to protect people from their own lack of judgment in clicking on obfuscated links, or prevent people like us from discussing such techniques. I hope that AV companies stay away from policing content and stick to programs and scripts.
Your original post spoke about a RTF document with an error that corresponded directly to what is described above. I'm not sure where the stuff about mimail.b, zip files and trojans comes from or how it relates.
Matt
Rick Klinge wrote:
Actually the original posting, that I posted, was referring to a
virus/trojan. No matter how anyone wants to try to piddle with words the
fact remains the same: any email that contains malicious content or
attachments that causes or could cause a computer harm, probably contains a
virus or trojan. Any major AV company that classifies the same strain as
the same virus or trojan knows more about this then I do. All I trust is
that when they say it is a virus or trojan then it is - Period - no
questions asked. That said this particular one was an email that had an
attached zip file to it. Within that zip file was a trojan. That trojan
would contact a site in Russia, now closed, to download the binary payload
to complete the trojan thus allowing hackers to use your computer at will.
Ref:
http://securityresponse.symantec.com/avcenter/venc/data/downloader.mimail.b.
html
Just because an AV company can't or don't find a virus doesn't mean they are
bad. This particular strain was found by Norton only a few days ago. FWIW
Panda has out performed Norton's AV and I have yet heard of any ill's from
it. Now Norton's on the other hand, I believe, has had issues with its auto
update feature and recently I believe there was issues with it not being
able to connect or function properly because of an intermediate certificate
expiration. What I do know is that one should never ever install Panda and
Norton's on the same machien.
As for turning off anti-virus protection on your laptop.. Hehe.. That can be
done.. It's easy and of course it's your choice. There is a feature within
panda that will allow you to disable the email scanning. Antivirus software,
AFAIK, comes default with all protection on.. Nature of that type of
software. I don't believe there is anyway to turn off 'certain' types of
virus checking.. There are like 80,000 of them out there.. Would make for a
whole lot of check boxes don't ya think? Who would want to turn off
scanning for individual viruses anyway? Maybe I've missed your point.. But
doubt it.
~Rick
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Adrian Portway
Sent: Thursday, January 15, 2004 9:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] URLSpoof contained within an RTF Doc
I have just bought a new laptop with Panda AV pre installed. When I ran a
full scan on the system today Panda AV found 8 "infected" files, all of
these where in a sub mailbox of Eudora where only my E mails from this list
are stored! Since I had moved this mailbox from my old machine which ran
Norton AV and never reported a problem I know that there are no viruses
there.
This appears to me a case of the AV vendor/vendors trying to protect the
user from themselves, I have yet to find anywhere in the settings where this
type of checking can be switched off. I object to this type of approach by
software vendors, at my company we have always felt that our software should
allow the user to take a course of action if they choose (although we warn
them of the possible consequences). Surely it's better to educate the user
than just stop them dead.
Alternatively we could start marketing the ultimate AV program.
Roll up, roll up for the latest in Anti virus technology, install this on
your machine and never get virus again, of course once we've removed the
ability to connect to the Internet you will be unable to get e mail or shop
on e Bay so you may just want to give you computer to the local school.
After I have run this idea past our marketing people and developers I will
be looking for an AV program that allows me to have some input into what I
can do on my own machine.
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================Inbound virus scan: ok
Scanned by IKcogg-1 server
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.211 / Virus Database: 261.6.2 - Release Date: 13/01/2004
