Chris-Linfoot.net

For the purposes of illustration, I will use Trend Micro ScanMail for Domino version 3 here, but other scanners should be configured in similar ways.

What does your virus scanner do when it encounters a known virus? What about an unkown virus? That second one is not straightforward but both can be managed effectively.

I only ask these questions at all because there is only one thing a well behaved mail server AV scanner should do and that is silently delete both the virus and the email message being used to convey it. Sadly, we frequently see evidence that administrators of external systems have installed their virus scan in one or more of the following broken ways:

• Viral payload is removed, but message stub (the email sans the viral payload) is delivered. Among the usual consequences are a) backscatter out of office messages and b) calls to the help desk (this email says I have visited illegal websites - what should I do?).
  
• Viral payload is removed but a backscatter bounce report is sent to the purported sender - " you sent a virus!" (free clue: no he/she did NOT).
  
• Viral payload is not removed and a backscatter bounce bearing live malware is sent.
  
• &c. &c.

So, using SMD3, how should you deal with

• Known viruses
  
• Unknown viruses

Known Viruses

Most AV scanners offer a plethora of choices of action depending on what type of malware they think they found and what type of action they think you might want to take. This latter choice often includes all the things I have already mentioned that polite people should never do, however - I digress.

Trend SMD is no exception and offers to take different actions based on whether it finds a mass mailing virus, a joke program, a trojan/worm, adware, spyware, a dialer, a hacking tool, a remote access tool or a password cracking application.

Choices include clean, pass, quarantine, delete and block.

If your AV is not SMD, you should take the time to ascertain what your options are and more importantly what they actually do. The Trend actions behave as follows:

• Clean - not usually possible but can work where malware is for example an Excel macro virus
  
• Pass - does nothing - never a good idea where we are dealing with malware
  
• Quarantine - saves a copy of the entire message including viral payload in the quarantine log and delivers the message stub!
  
• Delete - deletes the viral payload and delivers the message stub!
  
• Block - silently deletes the entire message - does not send any back or forward scatter

Where we are dealing with known malware, the only safe choice here is that last one. Here's how it looks in our config.

Unknown Viruses

What do I mean by unknown malware? I mean malware that is not yet detected by AV because the AV vendors have not yet analysed samples and published signatures. It is nonetheless malware and you would ideally like to deal with it in a very similar way to known malware - silently delete from the mail queue, sending no forward or backscatter. Just blocking all executables may be too blunt an instrument, however.

Here, Trend SMD does not make it easy for you. Whether you use an attachment filter or a content filter that looks at the filenames of attachments, the only actions available to you are:

• Pass - if you think it might be malware, you probably don't want to do this
  
• Quarantine - saves a copy of the entire message including potentially viral payload in the quarantine log and delivers the message stub
  
• Delete attachment - deletes the attachment (which in this case may possibly not be a virus) and delivers the message stub
  
• Block - silently deletes the entire message (which in this case may possibly not be a virus) - does not send any back or forward scatter
  
• Redirect for approval

None of those options looks great as they mostly either deliver the suspected malware intact, risk deleting suspected malware which proves to be benign and/or cause the delivery of virus free stub messages with the consequent increase in calls to the help desk.

In fact the only one which works here is the redirect option though there are some wrinkles you need to understand:

• The recipient(s) of the "redirect for approval" messages will see the viral messages in their native state - you need to be sure that these people are competent to discern the difference between new malware which the AV signatures don't recognise and non-malware.
  
• In those cases where redirected messages are viral, you must never click on either of the Trend action buttons, Approve or Reject. The former will deliver live malware to your user and you were trying to avoid this. The latter will generate a backscatter bounce.
  
• Because viral messages are never cleared from the approval database, it will grow without limit unless you put in place a housekeeping regime to purge it (see below).
  
• Because approval works using mail-in and because of the way this is implemented in SMD3 (very poorly), the user approving a message must have his/her home server set to be the same as the server which redirected the message to be approved in the first place. That is, if you run more than one inbound server, the administrator who decides to approve a redirected message needs to edit his/her location and set the home/mail server to be the server which redirected the message to be approved before clicking the Approve button.

Here's how it looks in our Trend config.

Note that the option to check inside compressed files is turned on. There is some server overhead used this way, but many recent viruses hide inside zips so it is worth doing. This will also spot unwanted attachments in rar archives and in C.DAT!

In action, when a new and undetected malware email hits the system Trend SMD will, for example, see a .pif file inside a zip archive and redirect for approval. Your (very well trained, talented, athletic &c. &c.) operator will recognise and ignore it. No user is ever aware that anything happened. When a suspect file hits the system and it is clearly benign your operator will recognise that too, switch his/her home server to be the server that redirected the mail, open the redirected message and click Approve. In use, this latter outcome is very rare.

Housekeeping

To prevent the ScanMail approve database growing without limit, enable server based archiving on it. Set archive settings to delete documents older than 30 (or your preferred interval) days. Remember to create a scheduled program to run compact -a on the SMD approve database regularly.

Category: Viruses and Worms
Technorati: Viruses and Worms

1. Van01/12/2005 16:40:26
Homepage: http://www.thedigest.com/van/

I can't speak for the options in Domino, but in Postfix I REJECT viruses at the envelope. There is no reason why I should have to accept delivery of the entire virus and then delete it. Let the server sending it choke on the thing.

2. Chris Linfoot01/12/2005 20:36:16

Unfortunately there is no AV scanner that hooks into Domino at the right level to enable an envelope level rejection, which I agree is preferable. So in Domino current best practice with known malware is to accept and silently delete.

Unable to post a comment? Please read this for a possible explanation...