Anti-virus Control means blocking before scanning

Published: 2007-12-02
Last Updated: 2007-12-02 10:04:17 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Everyone deploys anti virus, and sometimes without spending sufficient thought as to how it should be intelligently deployed. In essence, anti virus products have very different features: some products are relatively more of a ‘blocklisting’ technology than others. It’s important for us to ensure AV only needs to work in those cases where we know it is most effective.

As a quick example, here is the Virustotal output for a recent malicious RAR file that was brought to my attention. RAR files are archives, similar to ZIP but with a higher compression grade:

AhnLab-V3 2007.11.24.0 2007.11.23 -
AntiVir 2007.11.25 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 2007.11.25 -
BitDefender 7.2 2007.11.25 -
CAT-QuickHeal 9.00 2007.11.24 -
ClamAV 0.91.2 2007.11.25 -
DrWeb 2007.11.25 -
eSafe 2007.11.21 -
eTrust-Vet 31.3.5324 2007.11.24 -
Ewido 4.0 2007.11.25 -
FileAdvisor 1 2007.11.25 -
Fortinet 2007.11.25 -
F-Prot 2007.11.25 -
F-Secure 6.70.13030.0 2007.11.25 Exploit.Win32.WinRar.g
Ikarus T3.1.1.12 2007.11.25 Exploit.Win32.WinRar.g
Kaspersky 2007.11.25 Exploit.Win32.WinRar.g

McAfee 5170 2007.11.23 -
Microsoft 1.3007 2007.11.25 -
NOD32v2 2684 2007.11.25 -
Norman 5.80.02 2007.11.23 -
Panda 2007.11.25 -
Prevx1 V2 2007.11.25 -
Rising 2007.11.25 -
Sophos 4.23.0 2007.11.25 -
Sunbelt 2.2.907.0 2007.11.24 -
Symantec 10 2007.11.25 -
TheHacker 2007.11.24 -
VBA32 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.25 -
Webwasher-Gateway 6.0.1 2007.11.25 –

The vulnerability being exploited dated from 2005, but it appears most solutions did not have effective detection for it. This makes sense: security bugs have been found in several hundreds, if not more applications, and it would be very difficult for AV vendors to build in effective file format parsers for each of the affected file formats.

There’s also a good reason for them not to write such parsers: when implementing them for sometimes not too well described file formats, it’s easy to make security bugs in your own parsing code. This has been illustrated by several researchers, such as Thierry Zoller and Sergio Alvarez of n.Runs. They found several bugs in the parsing code, often leading to remote code execution for an attacker. Depending on where you scan, this could be your mail gateway or desktop.

The point of this diary is to illustrate the basis of the deployment of any gateway anti virus control should be that you enforce which file types are passed along to the internal clients. Does your organization actually need .RAR files to function?

Building a list of what type of file types you want to support organizationally, understanding each of them poses additional risk, should be the beginning of any implementation. The anti virus should then be configured accordingly to just drop anything that does not match this policy statement.

Maarten Van Horenbeeck

0 comment(s)


Diary Archives