better techniques to identify and remove zero-day viruses from cyrus store sought

John Crawford jmc-cyrus at sociology.osu.edu
Thu Aug 23 23:40:26 EDT 2007


Jorey Bump wrote, On 8/22/2007 8:23 AM:
> John Crawford wrote:
> 
>> Sieve is during delivery to the cyrus store though.
>> As we have the capability to identify hazards to our
>> users, I'd like to be able to exercise central
>> strategies improve their quality of life. So I seek
>> tools to leverage after detection to aid with
>> removal or remediation.
>>
>> Maybe would be nice to have a just-in-time scan interface
>> at the cyrus message level just as a message is being
>> accessed. CPU processing is getting cheaper all the time.
> 
> Hmm, this is an interesting problem. At one extreme, you're changing the 
>   mailstore or connection while the user is logged in, which could 
> result in some confusion (and possibly trigger some client software 
> issues). At the other extreme, you may have an account that hasn't been 
> checked for weeks, so it's fine to remove malicious messages that have 
> accumulated due to lack of detection before delivery. You also have to 
> be careful not to remove messages that have been forwarded to your 
> support address, as they will contain strings that may trigger detection.
> 
> To handle all cases safely, you'd probably want to script using 
> Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do 
> this safely with Cyrus because it supports concurrent R/W access. 
> Instead of deleting these messages, you'll want to put them in a 
> quarantine account so you can restore them in the case of false positives.

I don't see that it's possible to read any particular message, or
to iterate and evaluate content of messages with Cyrus::IMAP::Shell.
Do I miss something?

> 
> I'm still not sure I'd be comfortable doing this beneath the nose of a 
> logged in user. I'd also hesitate to touch anything outside the INBOX 
> (and any quarantine folders you provide), since it can be assumed that 
> the message was moved due to user action. I'd probably test this for a 
> long time only on accounts that aren't being checked regularly (this 
> also has the benefit of reducing the size of abandoned accounts).
> 
> Have you found that the risks justify this effort? Are your ClamAV scans 
> of the mailstore turning up anything? Are they serious threats?

Yes, I get very good results of content I would like to safely
hide away.  I use standard clamav with the usual clamav signatures.
I've not experienced problems from any false positives. I'll
have a signature update, and it will find messages received 50 minutes 
earlier - ones my users don't need to be exposed to.

thanks,
John



> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 



More information about the Info-cyrus mailing list