* David Kennedy CISSP (david.kennedy@acm.org) [020306 23:08]: > I understand the complaints, but I don't admit defeat nor will I reject as > futile a solution that's working. Server-based mail scanning has technical > limitations. So? If a server-based solution intercepts only 80% of the > inbound malicious code to an enterprise that still 80% less for the IS/IT > staff to worry about and 80% less for desktop scanners to catch or 80% less > for users to judge whether "new photos from my party" is a bad or good > thing. Certainly there are ways to attack the scanner and cause a denial > of service, as there are ways to bypass some scanners. The scanners must > keep up with the threats and so far most have. Server-based scanning > provides a chokepoint in today's environments that is far easier to > maintain than thousands of Microsoft desktops with wide variations of > client anti-virus "solutions." > > Ultimately we live with the deployed systems we have, and their > limitations. I'm unaware of a solution available today that supports > management and user demands for "friendliness" and puts secure end-user > software on the desktop. Server-based scanning provides a solution *today* > that, while imperfect, is manageable and effective in stopping most of the > malicious code in the wild. "Most" is not "all," but it's a lot more than > "none." David is correct. And this is not limited to anti-virus products. The same can be said of any application that attempts to interpret the communications between two entities and make security decisions based on them. Examples include firewalls and networks intrusion detection systems. This is in essence the same argument made by Ptacek and Newsham in their seminal paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection". Nonetheless, the argument does not mean these type of systems are useless. It simply means they are not a silver bullet and that you must be conscious of their limitations. And the are ways to make them more robust such as normalizing the traffic between the two end points (see for example Handley, Kreibich and Paxson's "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics"). I would hope that some network based malicious code detection solutions would implement some of these strategies soon. -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum
