better techniques to identify and remove zero-day viruses from cyrus store sought
jmc-cyrus at sociology.osu.edu
Thu Aug 23 23:40:26 EDT 2007
Jorey Bump wrote, On 8/22/2007 8:23 AM:
> John Crawford wrote:
>> Sieve is during delivery to the cyrus store though.
>> As we have the capability to identify hazards to our
>> users, I'd like to be able to exercise central
>> strategies improve their quality of life. So I seek
>> tools to leverage after detection to aid with
>> removal or remediation.
>> Maybe would be nice to have a just-in-time scan interface
>> at the cyrus message level just as a message is being
>> accessed. CPU processing is getting cheaper all the time.
> Hmm, this is an interesting problem. At one extreme, you're changing the
> mailstore or connection while the user is logged in, which could
> result in some confusion (and possibly trigger some client software
> issues). At the other extreme, you may have an account that hasn't been
> checked for weeks, so it's fine to remove malicious messages that have
> accumulated due to lack of detection before delivery. You also have to
> be careful not to remove messages that have been forwarded to your
> support address, as they will contain strings that may trigger detection.
> To handle all cases safely, you'd probably want to script using
> Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do
> this safely with Cyrus because it supports concurrent R/W access.
> Instead of deleting these messages, you'll want to put them in a
> quarantine account so you can restore them in the case of false positives.
I don't see that it's possible to read any particular message, or
to iterate and evaluate content of messages with Cyrus::IMAP::Shell.
Do I miss something?
> I'm still not sure I'd be comfortable doing this beneath the nose of a
> logged in user. I'd also hesitate to touch anything outside the INBOX
> (and any quarantine folders you provide), since it can be assumed that
> the message was moved due to user action. I'd probably test this for a
> long time only on accounts that aren't being checked regularly (this
> also has the benefit of reducing the size of abandoned accounts).
> Have you found that the risks justify this effort? Are your ClamAV scans
> of the mailstore turning up anything? Are they serious threats?
Yes, I get very good results of content I would like to safely
hide away. I use standard clamav with the usual clamav signatures.
I've not experienced problems from any false positives. I'll
have a signature update, and it will find messages received 50 minutes
earlier - ones my users don't need to be exposed to.
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus