VoF Enhancements – Detection of .ANI 0day

Unanswered Question
Apr 10th, 2007

What does the community think about Ironport developing VoF to the point where it is possible to write IDS-style signatures for it? Instead of just working with the file header/name/size, this enhancement would allow an engineer to write an advanced pattern to detect the latest .ANI threat before AV vendors have signatures out, all the while allowing valid files through.

See the following references for ideas:


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Donald Nash Tue, 04/10/2007 - 15:30

I'm not going to answer the poll directly because my answer needs more than just a simple "yes/no" response.

I think the idea of putting something fess-like into AsyncOS has merit, but I'm not sure that VOF is the right place for it. The whole point of VOF is to spot outbreaks by their traffic patterns as detected by SenderBase, and to be really fast about it. That's why it only looks at coarse message characteristics. On the other hand, IDS vulnerability signatures don't say anything about traffic patterns, nor should they. They simply document specific content patterns which should always be suppressed, regardless of the traffic patterns in which they appear. Therefore I think that a better idea would be to have a separate stage in the e-mail pipeline where IDS-like rules would run, with IronPort pushing out these rules like they do VOF and IPAS rules. Let's not mix up "it looks bad because its traffic analysis is suspicious" with "it looks bad because it contains a known bad pattern".

Message filters spring to mind as a possible alternative, but they currently lack the rules needed to do this properly (I once tried to write a several hundred byte regular expression to catch a particular file pattern, but gave up). This could be fixed, of course, but message filters are still entirely under user control. Therefore IronPort couldn't push rules out. But it would still be handy for sysadmins to have a better ability to poke around inside messages.

si_ironport Tue, 04/10/2007 - 21:59

I agree, I just had the poll there to gauge interest more than anything.

I think having another feature that can be applied to an incoming mail policy would be the way to go. Ironport could sell it as a bolt-on service (like VoF), as long as they give the end user the ability to write their own filters I would be happy. Alternatively you could log a case and get the Ironport engineers to write one for you, ensuring thorough testing.

Trying to accomplish this using a regex (like you tried) will no longer work in AsyncOS 5.0 as the body-contains keyword has been fixed to only parse the text of the email and no longer looks at the attachment. You would also have to take into account the encoding scheme used (7bit/8bit/base64/binary/uuencoded) in the attachment to cover all avenues.

Thanks for your comments


This Discussion