|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
When Viruses Happen
Innoculate Your Network: AVStripper (Part II)
Last week, we put AVStripper to the test with a trial run though installation and setup. We explained how we got the system up and running, and reviewed some of its virus scanning options. This week, we wrap up our lab work and give you the bottom line on our overall experience with AVStripper.
Vice President of Core Competence, Inc. [August 16, 2002] |
 |
After scanning over 39,000 incoming e-mails, our AVStripper had reported 10 infected mail attachments. All but one of these e-mails appeared benign to our desktop antivirus solution. One desktop running ZoneAlarm and Symantec's Norton Anti-Virus detected WORM_GOP in an attachment that AVStripper had "deleted." How could that be?
AVStripper does not actually delete the infected file—it "strips" about 10 kilobytes from the file to prevent the virus from expanding or executing, injecting text to indicate that AVStripper modified the file. With WORM_GOP, stripping rendered this virus impotent, but left behind enough of its signature to trigger our desktop antivirus system. During lab tests, we saw this again with McAfee desktop antivirus and Klez. These infrequent events illustrate one drawback of the two-tier approach—occasional confusion when using multiple independent products. In our view, the added protection of two tiers far outweighs this drawback—especially in the early hours of a new virus outbreak.
AVStripper scans both incoming and outgoing traffic. When a virus is detected in e-mail, the infected attachment is stripped and the message is modified to tell the recipient what happened:
Date: Thu, 18 Apr 2002 09:35:56 -0400 (EDT)
From: pita pita@someu.edu
Subject: A WinXP patchHello,This is a WinXP patch I hope you would enjoy it. ********************************************************** ********************************************************** WARNING: AVStripper has detected a virus in a file attached to this e-mail message!
The infected attachment has been automatically removed to protect your network.
It is recommended that you contact the sender and notify them of the problem so that they can clean the file and re-send it to you without the virus.
Infected file: Xpab.zl9 Virus information: WORM_KLEZ.G
Virus detected by: AVStripper—http://www.Ositis.com/
According to Ositis, the text included in this notification e-mail is now configurable. An option has also been added to mail a notification to the virus sender, although this option should be used with care because it could exacerbate mail floods caused by worms like Klez. Also, when waiting to receive very long attachments, AVStripper adds text to the delivered mail header to keep the mail client connection active:
X-AntivirusDelay: This is a dummy header added to this message to prevent your mail client from timing out while AVStripper downloads and scans the message for viruses.
When AVStripper detects a virus carried by FTP, outgoing files are stripped (similar to mail attachments) and incoming transfers are aborted at the point of detection. This behavior is illustrated (below), where putting an infected file (91703 bytes) results in a shorter file at the destination (90679 bytes), while getting the same infected file simply fails mid-session.
Viruses detected in HTTP generated more diverse results. In an isolated
test lab, we intentionally accessed over a dozen web pages known to be
infected with live viruses, worms, and trojans. Half of these pages loaded
text stating that AVStripper blocked a virus (see the EICAR example).
The other half downloaded referenced files without a visible warning to
the browser. However, the saved files had all been corrupted by stripping
and inserting text. One worm file, I-Worm.Sircam.c, could not be opened
with a text editor and was subsequently detected by desktop antivirus
scanners and PestPatrol. Inspection with a binary editor confirmed that
AVStripper had indeed corrupted this file.
Our goal was not to exhaustively test the antivirus protection offered by AVStripper—Trend Micro antivirus software has been thoroughly tested by certification labs like ICSA. Instead, we hoped to assess the visibility and impact of AVStripper on the end user. Individual desktop antivirus products force end users to interact with scan engines, making decisions about whether to try to repair, quarantine, or delete infected files. Network antivirus systems are much less obtrusive—but this can also mean less flexible. Stripping is the only pro-active action supported right now by AVStripper, but Ositis is considering adding a quarantine option.
Keeping Admin Informed
In addition to home page statistics, AVStripper supports e-mail alerts
and log files to keep the network administrator informed about problems,
viruses, and user activity.
Clear-text
mail alerts can be sent to the administrator whenever a virus is stripped,
a file passes through without scanning, a protocol error occurs, or a
virus update fails. Virus alerts identify the virus, client IP, carrier
protocol, infected file disposition, and the FTP or HTTP URL or enough
of the mail header to analyze the return path (right). To generate
alerts, AVStripper must be configured with a single admin e-mail address
and SMTP server. SMTP-Auth password and four alert categories are also
configurable.
For an unknown reason, alerts were silently dropped by one SMTP server we tried, while gladly accepted by another. When last we checked, Ositis was making some changes to alert message header formats to circumvent this kind of problem. Alerts were delivered reliably when sent through the second SMTP server, but e-mail can never really be counted on—it is a best-effort delivery system. Which brings us to logging…
The
AVStripper maintains three kinds of log files. The boot log tracks exceptional
events like failing over from a damaged partition. The alert log does
not actually track the alerts mailed to the administrator. Instead, it
records alerts that could NOT be sent (left). This example log
shows a virus alert for ANDREEW that could not be sent because the SMTP
server returned an error. Combining logged alerts with the alerts received
by e-mail yields a high percentage of the actual alerts generated by AVStripper.
However, it important to realize that some e-mail alerts may also be lost
in transit.
This log also includes the error Antivirus::UnzipFile failed. ExitCode= 50. One afternoon, our AVStripper went AWOL after the antivirus engine and pattern file were updated simultaneously. Although our network remained on-line, the antivirus scanner went off-line while the AVStripper repeatedly sent us alerts. A reboot resolved the problem, which Ositis diagnosed as a timing bug that has since been corrected. (Furthermore, AVStripper now tests pattern updates before engaging them, dropping back to the old pattern file if there is a problem.) Although we were happy that this antivirus failure did not disconnect our network, we were also happy that our network still had desktop antivirus solutions running during the two hours it took us to notice the problem and consult with tech support. This underscores why tiered a antivirus system is a good idea. Problems happen; be prepared.
The third kind of file logged by the AVStripper is an optional daily access log that records client activity, using a not-quite-Webtrends Log File Format. According to James, Ositis is working towards WELF compatibility, but needs additional fields to record the extra information required to create virus activity reports. In the unit we tested, daily log files could be manually downloaded or deleted. According to James, it is now also possible to send logs to a remote syslog server—a welcome addition.
We were satisfied with the information the AVStripper provided the admin,
with one exception: Statistics. Home page stats are great—but would
be even better if the counters were persistent. According to support,
counters are reset whenever you reconfigure AVStripper, reload drivers,
request a soft reboot, or a new scan engine or pattern file gets loaded.
Since pattern files are checked every few hours, the home page stats are
rather short-lived. Antivirus update notices were recently added to the
home page, providing more context for interpreting these counters.
ISP-Planet's
RSS feed
