January 24, 2011
Niles Nerd

Nerds Mail Protection

[this post from Nerd Dennis Houseknecht]

Regarding the last post, Daryl Siemens asked an excellent question: Would Nerds Mail Protection protect against such an attack. I thought the answer was worth sharing with all – it really depends upon how the attack is designed. That is why defending clients is so difficult. The answers are defense in depth (multi-layered defenses), defense in width (looking at every avenue of attack), and good old commons sense.
If the document was sent as an attachment that contained the malicious code, then yes, Nerds Mail Protection would scan it for malicious content, using multiple virus scanning engines. It should also be scanned by the local AV engines (at the UTM if there is one, and again at the desktop if AV us running).
That said,
1. No AV is 100% effective
2. Often, the malicious code is not contained in the actual attachment. Rather, the document may contain a script or macro that downloads the content from a website. Nerds Mail Protection would not see this. A UTM or the local AV might see it, but the code could be well obfuscated. A UTM or DNS filtering service (such as OpenDNS) might also block the outgoing connection if it is known to be malicious. Antivirus programs that use heuristics “should” see this behavior as malicious and prevent the download.
PDF readers should be set to not run embedded scripts. The newest version of Adobe has some sandboxing technology to avoid prevent this sort of attack. MS Word should be set not to run macros. Both should be kept up to date.
In the end, the best defense is user education. COMMON SENSE will thwart all but the most sophisticated targeted attacks (which, unfortunately, are becoming more common).
An unsolicited or unexpected document in any format other than plain text should be seen as a threat – especially when coming from on unknown source. One way to preview a document safely is to forward it to a Gmail account and use Google’s previewer. Since the previewer is running on Google’s server, any malicious script is unable to infect your (or client’s) system. Don’t worry about Google – they are well protected (and not running on Windows anyway). If the document looks suspicious, do not open it locally. If in doubt, you can always request that the sender submit a plain text version.