Re: Virus/adware/spyware -- is there all-in-one protection in one program?

From: Lionel Fourquaux (use.reply.to_at_no-spam.invalid)
Date: 06/23/04

• Next message: Alvin: "I have found it!"
• Previous message: GP: "IPSec"
• In reply to: Alun Jones [MSFT]: "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Next in thread: cquirke (MVP Win9x): "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Reply: cquirke (MVP Win9x): "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 23 Jun 2004 12:41:00 +0200

Alun Jones [MSFT] wrote:
> Weeell, not quite. If there were to be a vulnerability in the e-mail
> client, e-mail viruses would be able to exploit it to ... send email as if
> those messages came from you. Lots of email. Including reruns of the best
> of your inbox (and other mail folders).

Yes, I missed this. The virus would have to run as part of the message
body, since a saved attachment would not be executable.

The "view as plain text" option goes a long way to make such a
vulnerability improbable, but it may happen.

> I'm new at MS, so hopefully this won't come across as Microsoft
> Unix-bashing, but this is one of the things I have to remind my Unix-head
> friends about - removing administrator access from possible exploit means
> only that the administrator's account, and things limited to the
> administrator, are protected. Normal users have a huge level of
> capabilities. They can delete (or sometimes worse, overwrite) their own
> files, send email, communicate with other users, and maybe even lay traps
> for system administrators to execute. Even without the last item (privilege
> elevation), a virus can destroy or corrupt data, and reproduce.

You can run the e-mail client in another account, with very limited
permissions, and use deny ACLs to block execution at a higher level of
privilege.

For virus replication, assuming one exploited a vulnerability, it harder
to imagine a counter. Limiting the rate of SMTP connections may be an
idea, although I don't like this method too much.

Another advantage of using a limited account is that it gives you a safe
base to remove any hypothetic virus.

> Is administrator / root privilege necessary for a virus to be bad? No. Most
> email viruses of today are quite capable of causing damage and reproducing
> under 'restricted' accounts.
>
> I've used email clients from three different vendors that have, in their
> time, had vulnerabilities that could be triggered by overflows in processing
> text-based email. By now, they should know better, and the current crop of
> email clients is mostly solid enough that I trust them not to break on plain
> text (and I am very paranoid in that regard). So, while the current
> situation is good, history demonstrates that even your approach has not
> always been foolproof.

True again, but even an antivirus may not be foolproof. It would be
quite ironic if a virus exploited a vulnerability in the antivirus
itself to infect computers. Worse, antivirus software usually run in
part at a very high level of privilege (and I suspect some programs of
interfering with other security settings more than I like, e.g. by
manipulating ACLs on system objects or requiring low-security browser
settings).

> I think it's worthwhile to have defence in depth. So, I read my email in
> text mode, I don't investigate most attachments, I run an antivirus program,
> _and_ I scan every month or so with a different antivirus program. Oh yes,
> and I keep backups.

No argument about this. My point was that you can make infection highly
improbable, using enough paranoid settings, but it doesn't hurt to add
more precautions.

---

• Next message: Alvin: "I have found it!"
• Previous message: GP: "IPSec"
• In reply to: Alun Jones [MSFT]: "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Next in thread: cquirke (MVP Win9x): "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Reply: cquirke (MVP Win9x): "Re: Virus/adware/spyware -- is there all-in-one protection in one program?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Virus/adware/spyware -- is there all-in-one protection in one program? ... If there were to be a vulnerability in the e-mail ... > elevation), a virus can destroy or corrupt data, and reproduce. ... You can run the e-mail client in another account, ... but even an antivirus may not be foolproof. ... (microsoft.public.scripting.virus.discussion) Re: Virus/adware/spyware -- is there all-in-one protection in one program? ... If there were to be a vulnerability in the e-mail ... > elevation), a virus can destroy or corrupt data, and reproduce. ... You can run the e-mail client in another account, ... but even an antivirus may not be foolproof. ... (microsoft.public.security.virus) Re: NIMDA Q. ... >>> an infected machine with these shares and the virus pushes itself over ... antivirus applications do this. ... it helps spreading the virus from client to client? ... (comp.security.firewalls) Re: Virus/adware/spyware -- is there all-in-one protection in one program? ... I'm discussing the possibility of securing Windows without an ... > what problems a virus can cause and would install protection. ... It's slightly paranoid, but short of a huge vulnerability in the OS, ... Since even an antivirus program can have bugs, ... (microsoft.public.scripting.virus.discussion) Re: Virus/adware/spyware -- is there all-in-one protection in one program? ... I'm discussing the possibility of securing Windows without an ... > what problems a virus can cause and would install protection. ... It's slightly paranoid, but short of a huge vulnerability in the OS, ... Since even an antivirus program can have bugs, ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)