better techniques to identify and remove zero-day viruses from cyrus store sought
Jorey Bump
list at joreybump.com
Wed Aug 22 08:23:19 EDT 2007
John Crawford wrote:
> Sieve is during delivery to the cyrus store though.
> As we have the capability to identify hazards to our
> users, I'd like to be able to exercise central
> strategies improve their quality of life. So I seek
> tools to leverage after detection to aid with
> removal or remediation.
>
> Maybe would be nice to have a just-in-time scan interface
> at the cyrus message level just as a message is being
> accessed. CPU processing is getting cheaper all the time.
Hmm, this is an interesting problem. At one extreme, you're changing the
mailstore or connection while the user is logged in, which could
result in some confusion (and possibly trigger some client software
issues). At the other extreme, you may have an account that hasn't been
checked for weeks, so it's fine to remove malicious messages that have
accumulated due to lack of detection before delivery. You also have to
be careful not to remove messages that have been forwarded to your
support address, as they will contain strings that may trigger detection.
To handle all cases safely, you'd probably want to script using
Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do
this safely with Cyrus because it supports concurrent R/W access.
Instead of deleting these messages, you'll want to put them in a
quarantine account so you can restore them in the case of false positives.
I'm still not sure I'd be comfortable doing this beneath the nose of a
logged in user. I'd also hesitate to touch anything outside the INBOX
(and any quarantine folders you provide), since it can be assumed that
the message was moved due to user action. I'd probably test this for a
long time only on accounts that aren't being checked regularly (this
also has the benefit of reducing the size of abandoned accounts).
Have you found that the risks justify this effort? Are your ClamAV scans
of the mailstore turning up anything? Are they serious threats?
More information about the Info-cyrus
mailing list