Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
Diego d'Ambra wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Julian Mehnle Sent: 15. november 2004 17:54 To: ClamAV users ML Subject: RE: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks Trog [EMAIL PROTECTED] wrote: Please give a full definition of Spam and Malware/Viruses that do not intersect, and will never intersect for all future Spam and Malware such that we can be sure we know what you are requesting. The definition of what _I_ would like ClamAV to detect is: anything that poses a technical thread, no matter whether it also poses a social/fraud threat or not. That's a clear enough criterion, isn't it? Creating such a system has a dramatic impact on the work needed to classify a suspicious sample. These samples often contains weird Jave, HTML etc. that must be decoded and tested with different software versions to ensure no exploit is being triggered and/or harmful content installed. I'm aware of other AV products that allow you control "sample types" you want it to detect, but I believe that categorizing samples beyond what ClamAV offers today is too time consuming. Best regards, Diego d'Ambra All this discussion although interested should be taken place after adding such an option (if wanted) to private CVS sources copy and after testing it. Just during this looong conversation ;-) Regards Boguslaw Brandys ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
Hanford, Seth wrote: Would that include viruses that require action on the part of the recipient? Included in password protected zips? What is the difference between tricking a person into opening a password protected zip (which is not dangerous in its delivered form) and tricking a user into clicking a link that takes them to the virus? To me, there seems to be no difficulty in distinguishing these threats. So? I never said that I can't tell the difference between a virus in the email and a link to a page that causes infections. If it was just me, the whole point is moot since I don't run an MS OS and even when I did, I was smart enough not to use Outlook or open unknown attachemts. It is not you that I get on the phone accusing me of not protecting your computer. Most email users do not see the difference. For reasons similar to those Julian has been using, we don't block Spam, we send spam to a junkmail folder for each user to review. Viruses and links to viruses are the same thing as far as my end user is concerned and that is who I am serving. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com "Winter is an etching, spring a watercolor, summer an oil painting and autumn a mosaic of them all. - Stanley Horowitz" ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Julian Mehnle > Sent: 15. november 2004 17:54 > To: ClamAV users ML > Subject: RE: [Clamav-users] ClamAV should not try to detect phishing and > othersocial engineering attacks > > Trog [EMAIL PROTECTED] wrote: > > Please give a full definition of Spam and Malware/Viruses that do not > > intersect, and will never intersect for all future Spam and Malware such > > that we can be sure we know what you are requesting. > > The definition of what _I_ would like ClamAV to detect is: anything that > poses a technical thread, no matter whether it also poses a social/fraud > threat or not. That's a clear enough criterion, isn't it? > Creating such a system has a dramatic impact on the work needed to classify a suspicious sample. These samples often contains weird Jave, HTML etc. that must be decoded and tested with different software versions to ensure no exploit is being triggered and/or harmful content installed. I'm aware of other AV products that allow you control "sample types" you want it to detect, but I believe that categorizing samples beyond what ClamAV offers today is too time consuming. Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
> Would that include viruses that require action on the part of the > recipient? Included in password protected zips? What is the difference > between tricking a person into opening a password protected zip (which > is not dangerous in its delivered form) and tricking a user into > clicking a link that takes them to the virus? To me, there seems to be no difficulty in distinguishing these threats. Virus: Malicious content exists WITHIN the e-mail message itself, whether as an attachment, a bit of malformed HTML that causes a MUA to bork/run code, a password-protected zip, a malformed JPG, or anything within the message that can be run, interpreted or rendered to perform procedures on the system itself. Spam: Unsolicited Bulk or Commercial e-mail. This includes any message that contains ill intentions but requires the user to perform an action or run code that resides OUTSIDE of the e-mail message. If a message has a link to phishing or some virus somewhere, it is still only spam. I agree with Julian that Clam does not seem the logical solution to Spam messages. If a message contains both, of course, Clam should have a sig. I hope the developers choose to proceed with Clam and ignore these spam threats (mostly because I'd rather signature-making time be spent on threats that don't already get caught.) However, I'm also starting to whip up my own extraction-without-phishing sigs scripts to fit my environment. Seth ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
Joe Maimon wrote: I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a "--no-phishing" option in ClamAV but someone might ;) I'd like to add that there are too many users that tend to click or provide information without authenticating the request is legitimate. Paypal, Ebay, and Credit Card users are open targets. Identity theft, and Credit Card fraud can be directly linked to phishing. In fact other anti virus companies have started detecting this as well . Note: pccillin-HTML_CITIFRAUD.H Censorship worries me as well, but there has to be a line drawn to protect users from themselves. For users who for what ever reason want the message, they have the ability to login to a webmail client and view the original email. Sending a informational email to users explaining why certain emails are blocked (for their protection) usually is good for brownie points with the end users. Everybody knows legitimate companies don't "usually" send emails requesting account verification as it's usually done by mail, phone, or when the user logs into their account. So blocking this can only be seen as a good thing. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
On Nov 14, 2004, at 9:32 AM, Joe Maimon wrote: Steve Basford wrote: since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a "--no-phishing" option in ClamAV but someone might ;) Perhaps a way to disable certain signatures or patterns of signatures would be better? wouldn't this also still encourage spreading or altering Clam's role in what it should and shouldn't detect and at the same time increase the burden on the developers...? Someone would still have to classify what each signature is and what fits what categories... (granted, the proposal now is just virus vs. phishing, but slippery slope would say it would be only a matter of time before another option is added to further separate them, like new viruses vs. old database viruses so admins could separate them out for statistics or something like that...add more flags to headers for analysis by stats programs or something). -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
On Nov 14, 2004, at 9:26 AM, Steve Basford wrote: since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a "--no-phishing" option in ClamAV but someone might ;) I think, unless someone can posit some good counter-arguments, I'd like to voice a "Phishing detection" nay as well. It's a slippery slope...we can't protect users from every idiot scheme coming out. And do we (admins) begin to accept responsibility for when these things get through and Johnny User is the victim of fraud because he didn't stop to verify that it wasn't a scheme before clicking around and giving away private information? Phishing is more of a spam attack than anything else. Let Spamassasin and Procmail rules stop the phishing if that's what admins want to also take the responsibility for stopping. There seemed to be almost an underlying hostility towards suggestions in the past that Clam be moved beyond any role than virus detection on mail servers (indeed, I'd almost think ClamAV isn't really and *antivirus* and much as a *virus detector*...it doesn't be default do anything other than notify of the presence of a virus so other programs can handle it as they will, and it makes no attempt to disinfect) and moving into spam detection territory is definitely a step outside of that realm. When Clam starts detecting and warning of mails that are just clicktraps for people who should know better, that's more a job from the handbook of SpamAssassin, and I would think the developers have much more to do than try to keep up with signatures to keep up with every permutation of Nigerian schemes and "Verify your password with our web5ite" bank scam. Just my .02. -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
Steve Basford wrote: since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a "--no-phishing" option in ClamAV but someone might ;) Perhaps a way to disable certain signatures or patterns of signatures would be better? Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a "--no-phishing" option in ClamAV but someone might ;) Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
