Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives

[bkfsec <bkfsec@xxxxxxxxxxxxxxxx>]

James Eaton-Lee wrote:

> For many SMEs, the distinction is irrelevant, as a significant number of
> e-mail servers do *NOT* incorporate antivirus software designed with
> gateway scanning in mind - they run desktop scanning tools on e-mail;
> thus, for many companies, the distinction between 'gateway' and
> 'desktop' antivirus software is both, since one scanning engine and set
> of definitions play the same role. 
>  
I think that the distinction that Nick was making was that any AV that 
is intended to do gateway scanning should implement this, which is 
implied by his whole "gateway scanners may have a problem with this..." 
point. 

If corporations are using desktop scanners as gateway scanners, then 
they're misusing the product. 

I could try to tow 3 tons of bricks with my little Honda Civic, but 
would it be Honda's fault if my engine gave out?  I'd be misusing the 
product. 'nuff said.


> Antivirus technology is something which even non-technical office staff are very
> much aware of, and they base many aspects of their work on assumptions
> such as the fact that if an antivirus scanner has not detected 'a virus'
> in a file they have sent/downloaded/copied, that it is safe - although
> they may not be at risk from a virus in an archive file that their
> antivirus software does not detect, other people may. 
>  
Well, this is largely a perception problem.  People think that a clean 
scan means that something is safe and that's wrong.  It's not just wrong 
in AV, it's wrong in all  security analysis issues.  It's wrong in IDS.  
It's wrong in forensics.  It's wrong in pen-testing.

What the outcome really means is, literally, that nothing that the 
product was designed to detect was detected.  It means nothing more and 
nothing less.

However, people turn that into "the coast is clear" because people don't 
want to live in a constant state of paranoia and fear.  By their nature, 
security and usefulness have to be balanced, at least in this way.

However, this all comes down to one point: If the AV can detect the 
malware uncompressed, but can't detect it compressed, then there's no 
problem.  The malware has to be decompressed to be dangerous.  That was 
Nick's point and it's 100% correct. 

IF your AV software is functioning normally.
IF your AV software has proper real-time detection capabilities.
IF your AV is properly setup and scans the programs you run at the time 
they're read from the HD.
IF your AV will detect the malware uncompressed.

Then, as should be true for the vast majority of situations out there, 
the malware will be caught as it's being extracted from the archive.  
Or, barring detection on writes, when it's being executed in the first 
place.

If the problem you're pointing out is that SMEs are carrying out 
cost-cutting by not putting AV on their workstations and blindly relying 
on gateway scanning,  then that SME has a much bigger set of problems 
than not having compressed tarball support on their gateway scanner, and 
their cost-cutting is ultimately going to cost them.

That SME has made a grave mistake and hopefully they'll learn their lesson.


> Harking back to SMEs, who seem to be at the focus of most of the points
> that I've made, it's quite possible that the inability to scan an
> archive file could be extremely damaging to a business's reputation when
> forwarded to a partner or customer
In what situation can you imagine where a person blindly forwards 
compressed (unscanned) content to a business partner?

Again, this can only be because of cost-cutting issues at the SME or 
laziness on the part of the SME's employee.  Again, the problem is not 
the issue of the AV, but rather the fault of the SME for not being more 
careful.

> - since you're obviously sure of your
> positions on these issues, I shouldn't have to remind you that antivirus
> software isn't about being theoretically perfect, it's about preventing
> business loss.
>  
This is the wrong way to think about it.

The goal of antivirus is, plainly said, to detect and block malware from 
running.

Preventing business loss is a side-effect of this.  There are many 
reasons for keeping malware off of systems, business benefit is only one 
of them.

A hammer is a hammer.  Its sole intent is to bash things (and, possibly, 
pry them out).  It can be used to build houses, but it is not a 
house-builder.

> Antivirus software is deployed based on many sets of assumptions.
> Failure to live up to these assumptions is generally what causes the
> most damage to businesses as protection they thought they had in place
> fails - this issue is something which falls into this category;
> antivirus software is, in the majority of SMEs, implemented by staff
> without extensive experience in antivirus software, and they are highly
> unlikely to be aware of issues such as this one (especially since in
> most antivirus software, the option is given to 'scan archive files',
> not 'scan archive files apart from the ones we don't understand') - not
> a serious issue, but definitely a significant one, and one which should
> be fixed upstream by antivirus vendors.
>
>  
It is expressly impossible to determine what the uneducated, untrained, 
and willfully incapable of reading documentation will do when left to 
their own devices.

User-friendly software tries to cater to these users, by making things 
as simple as possible, but that does not mean that all of these 
conditions can be predicted.  I'm very much in agreement that AV 
programs should support compressed tarballs and other archival formats.  
However, any organization that is bitten by this relatively small flaw 
will be bitten because they lack common sense.

The OEMs out there, along with the AV companies for obviously 
self-serving reasons, have gone a long way towards trying to spread the 
word that virus protection should be on all clients out there.  This is 
not an arcane planning issue like, say, properly implementing an IDS.  
It's a common sense, best practices, no BS doctrine.

And there are no excuses for an organization that purposefully puts 
themselves into a position where a minor defect like this can harm their 
business.

               -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html