Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: virus checking
From: Pavel Galynin <pgalynin @ chipnet . cz>
Date: Thu, 27 Feb 1997 07:21:13 +0100
To: lance @ pfi . com
Cc: firewalls @ GreatCircle . COM
References: <3315818D . 477B @ pfi . com> 
Lance and Christine wrote:

I am new to firewalls, but I am not new to virii at all, ( best AV 
product in Russia, but it was never released, only beta-tested )
It seems, that SMTP packets are not enough at all. How many users get 
software mailed to them? How many users just download it? I would guess 
the ratio is 20:1. Of course, if you restricted ftp and http, they would 
use mail, but I assume you didn't, because then there would be no need 
of such a firewall.
Even if you decided to use it, it would either be worthless or give you 
a lot of overhead. Polymorphic virii are the most dangerous ones, and 
only heuristic modes can  detect them. Heuristic analysis takes a lot of 
CPU time, gives a lot of false alarms and thus inappropriate for a 
firewall. If you disabled heuristics, you would render this tool 
useless, since polymorphic virii reign the bacteria world now. ( NB: 
Polymorphic virus is a virus that encrypts itself, adds a decryptor 
routine and varies that routine greatly. One of the most known 
polymorphics has 4 billion possible decryption routines. ) Now you see 
why detecting them takes so much CPU "horsepower". They are detected by 
scanning for strings known to be in each variant of a virus, but 
polymorphics have more than 4 billion possible variants of code..
I intentionally simplified it, but you may request further info.
I think that if you really wanted to protect yourself against virii, 
you'd have to educate your users. If you still insist on using that 
package, you should forward all SMTP packages to a different box to 
avoid huge overhead.
						Paul. 
> 
> i was handed a product announcement yesterday about a symantec tool
> which does virus checking on smtp packets on the firewall.  i didn't
> look very closely at it, but it raised a couple of points on which i
> would like some feedback.
> 
> first, is the firewall the right place to do this kind of checking?  on
> a fairly skinny host (in my case, a sparc 2 running firewall 1),
> wouldn't the overhead of virus checking impact the flow of packets?  and
> finally, is smtp checking enough?  it seems inadequate.  thanks for any
> feedback.
> 
> lance
References:
Indexed By Date Previous: Re: irc and firewalls
From: Kevin McPeake <cowboy @ home . byelex . nl>
Next: RE: Checkpoint FW-1 on HPUX -- SSL problem
From: Ken Kempster <kempster @ monarch . rnb . com>
Indexed By Thread Previous: Re: virus checking
From: Pavel Galynin <pgalynin @ chipnet . cz>
Next: Re: virus checking
From: "Michael S Hines" <mshines @ purdue . edu>
Google
 
Search Internet Search www.greatcircle.com