When configuring an email firewall or the email-related antivirus features of a unified threat management (UTM) firewall, the question of what to scan often comes up -- not because most network managers spend a lot of time focusing on the fine points of antivirus configuration, but because there are spots in the GUI that have to be filled in.
While configurability is always a good thing, most networks will have the best protection possible with a very simple and straightforward policy of scanning all parts of all emails and deleting those emails with detected viruses.
That's the short answer. The long answer starts with a general observation: virus scanning is a performance hog.
There's no way around the high performance cost of virus scanning and we all know that it's only getting worse as the escalating war between antivirus and virus developers continues. Because virus scanning is slow, product vendors have given us a wide variety of knobs and dials that let us get ourselves into a lot of trouble.
For example, several years ago, it was common for email managers to configure their virus scanners to skip multimedia data files, such as images or audio files. In fact, if you haven't looked at it recently, your scanner may still be skipping those types of files. The thinking was simple: you can't get into trouble just looking at a PDF or a GIF. Well, there's certain logic to that, but there's also a huge flaw. You can get into trouble reading a data file, if that data file is constructed to exploit a flaw in the viewing or listening application. We've seen it happen, and we all know this isn't the end of these exploits.
Risky call to bypass email scanning
We've learned there are no good shortcuts in this business. Every attempt to "save time" or "speed things up" in email antivirus configurations has eventually come around and bitten us on our collective butts. Product features that let us skip scanning some parts of email messages or bypass scanning for large messages might save you a few seconds in email response time, but those seconds will never compensate for the disruption caused by a virus that gets through -- not because the scanner missed it, but because you didn't bother to scan it.
There are some antivirus settings that you do need to think about, such as what to do with encrypted email, packed archive files (such as .zip or .tar files) or an email that causes the virus scanner to crash or take too long. I advise a common sense approach that is conservative and takes into account three main bits of advice:
- People have a natural tendency to trust email more than is warranted, so warnings about the potentially hazardous content of a message will be ignored;
- Most email messages with viruses were not sent by people, so notifications about viruses found make things worse, not better;
- It's easy to set up alternative tools to move large data files, so spending time streamlining email as a document delivery service is not as good as spending time building alternative and safe pathways (such as SSL VPNs, Web-based file transfer systems, or even simple FTP servers) to help people move data in and out of your organization.
Thus, the best practice is always to scan everything. Once you determine that a message has a virus, don't attempt to clean it; simply delete the message or, if you have to, quarantine it. Trying to clean viruses out of email messages is a waste of time, notifying people that you cleaned one is a waste of time, and notifying senders that they sent a virus is a waste of time. All three are likely to get you into more trouble by misdirecting and causing confusion as to the real cause of a problem.
Scanning video, archives and timeout trouble
If you want to argue with this and say "oh, no, we can't scan videos," that's OK as long as you're willing to explain why you let a virus into your network because you didn't realize there was a bug in Adobe Flash or some similar viewing tool for whatever data type you don't bother to scan.
Virus scanners that have a setting for a maximum depth of an archive file (such as a .zip file) to unpack can be set conservatively. If you've gone five levels deep in unpacking a .zip file and still have another .zip file inside, you should treat this as an error and delete that message. No rational sender is going to have a six-level zipped archive, and if you see such a thing, it is always going to be an attempt at obfuscation, whether malicious or simply porn, either of which you normally want to block.
Scan timeouts are another place where you may find settings that need to be configured. While you can get a false positive here and there, it is safest to treat a scanner timeout as "virus found" and delete the message. You should also have the antivirus software send a notification to the system manager when timeouts occur so they can investigate to see whether this is an isolated case or a performance problem building up.
Most virus scanners also have an ability to limit the size of messages scanned. Use this feature with care, if you use it at all. You're not getting that many 10 Mb email messages, and if you do, there's no reason not to scan them. The ready availability of huge amounts of bandwidth and bot networks has changed the game for malware authors, so cutting corners in your security strategy is a more and more dangerous approach.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
Send comments on this technical tip to firstname.lastname@example.org.