Email AntiVirus Protection for Mail.SAS

In the Fall of 2002, SAS Computing began to use Symantec Antivirus for SMTP Gateways to scan mail sent to mail.sas users from external hosts for viruses. This product allows email traffic to be scanned for viruses prior to delivery of the message to the recipient. Given the prevalence of new e-mail based viruses, protection at the mail server level is essential and has proven to be very effective at limiting the spread of viruses in SAS.

New Protection to Be Implemented 6/15/2004

As of 6/15/2004, SAS Computing will begin to implement additional procedures to provide even better protection from the growing number of email based viruses. Since the Symantec Gateway product does not allow us to scan all mail (e.g. messages sent internally to other mail.sas users are not scanned; some viruses are designed to avoid such gateway machines), mail.sas will be configured to silently drop messages with attachments that have specific extensions that are classified as unsafe by Microsoft because they can be automatically executed when accessed. See below for a complete list of extensions that will be handled in this way.

Dropping these messages silently means that the mail server will simply drop them and will not notify the sender or the recipient that this has taken place. Notification is not possible because the sender of virus infected messages is usually forged and if the recipient were notified, this would not reduce the amount of unwanted mail that is delivered.

In addition to this change, SAS Computing will be implementing a new solution which will replace the current Symantec Gateway solution and will provide scanning for all incoming and outgoing mail, thus providing a higher level of overall protection.

Of course, no single level of scanning provides perfect protection. This system should be seen as a supplement to, not as a replacement for, adequate desktop antivirus protection. All users should still maintain up to date and properly configured antivirus software, as viruses use mechanisms other than email to spread.

Responses to common questions:

What will I have to do differently?

Nothing. Since this is an automated system that works on the e-mail server side, you will not have to reconfigure your machine or your e-mail client software. The scanning that will take place happens before you access your incoming mail, no matter where or how you access it.

Of course, you still need to exercise caution when reading your mail and not open attachments unless you know the sender AND know that it was intentionally sent to you. The server side scanning is a huge step forward but does not provide complete protection from all viruses, as new viruses are always being developed and released.

Won't scanning significantly impede the delivery of e-mail?

No it will not. Scanning will generally add no more than a few seconds, at most, to the processing time of a message. Delays will usually be measured in milliseconds.
Considering the fact that desktops running antivirus software configured for real-time protection scan every file on the system each and every time it is accessed, yet the performance degradation is not that great (perhaps 5-10%), there is no reason to expect scanning of e-mail to add a great deal of delay to delivery time.

Isn't this an invasion of my privacy?

We don't think so. The scanning is done using the same automated pattern detection mechanisms used in the antivirus software that is already run on many SAS servers and desktop machines. The process is completely automated, no human intervention is required. We will not be blocking for message content (using keywords etc). Thus, this system is no greater an invasion of privacy than any of the other processes that currently allow your mail to be processed and delivered. Please also be aware that many other systems (at Penn and elsewhere) already scan mail, so much of the mail you send to and receive from others likely is already being scanned by other systems.

Won't there be false positives resulting in messages being identified as infected when they are not?

While certainly possible, this is actually a very small risk. While all antivirus software does at times yield false positives, this is not very common. Of the perhaps dozen or so instances of Symantec releasing definition sets which yielded an identified false positive over the past two years, the file types being misidentified were generally not widely distributed (which is likely why Symantec's testing didn't discover the problem prior to release) and of types unlikely to be sent as e-mail attachments. When Symantec has discovered such a problem, a fix has generally been released within 24 hours. We have not had a significant problem with false positives on desktop machines, despite the fact that we have 1000 machines running NAV in managed mode where all files on the system are scanned on every access. There is no reason to expect this to be a bigger problem when scanning e-mail.

Why should I, as a Linux or Mac user be subjected to this inconvenience?

Users of Linux and the Mac OS are less likely to be infected with a virus than Windows users, but they can easily act as carriers of viruses than can infect Windows machines. Even if this weren't the case, since there will really be no negative impact of scanning being put in place, there seems little reason to object to it, given the greater common good it will serve.

Aren't there better ways to stop viruses from spreading?

Not really. SAS has made great progress over the past two years in protecting SAS faculty and staff Windows users from viruses by using Norton Antivirus Corporate Edition in Managed mode. This has greatly reduced the number of actual active infections on machines used by SAS faculty and staff. However, as more and more viruses that spread through e-mail have been released, the quantity of infected mail (originating from other machines) has continued to increase. Locally, a good deal of this originates from machines used by SAS students, many of whom use Outlook or Outlook Express as e-mail clients (which are targeted by many of these viruses) and some of whom do not maintain adequate antivirus protection. Scanning mail sent through SAS systems will help to reduce this continuing problem.

Why can't I opt out of this system?

We explored various approaches that could be used to make this an opt in/out system. However, in all cases the procedures needed to allow for this possibility seemed likely to be a larger source of potential problems and unnecessary overhead than the antivirus scanning system itself. Given this, it has been decided to move ahead to put the system in place even though it is not possible to allow individual users to opt out.

How can blocked attachment types be sent?

If you need to send or receive a message with an attachment of one of the types that are being blocked, the sender can simply change the extension being used on the attachment to one that is not being blocked. The recipient can then change the extension of the attachment, if needed, to make opening it easier.

What attachment types are being blocked?

We will be blocking nearly all attachment types classified as unsafe in Microsoft Knowledge Base Article - 262631 with the exception of Access database files (extension of mdb). This list to be blocked on mail.sas includes:

Extension       File type
---------------------------------------------------
.app            Visual FoxPro Application 
.ade            Microsoft Access project extension 
.adp            Microsoft Access project 
.ani            Animated Icon 
.asx            Windows Media Audio / Video
.bas            Microsoft Visual Basic class module 
.bat            Batch file 
.chm            Compiled HTML Help file 
.cmd            Microsoft Windows NT Command script 
.com            Microsoft MS-DOS program 
.cpl            Control Panel extension 
.crt            Security certificate 
.cur            Animated Icon 
.csh            Unix shell extension 
.exe            Program 
.fxp            Visual FoxPro Compiled Program 
.hlp            Help file 
.hta            HTML program
.ico            Animated Icon 
.inf            Setup Information 
.ins            Internet Naming Service 
.isp            Internet Communication settings 
.js             JScript file 
.jse            Jscript Encoded Script file 
.ksh            Unix shell extension 
.lnk            Shortcut 
.mda            Microsoft Access add-in program 
.mde            Microsoft Access MDE database 
.mdt            Microsoft Access workgroup information  
.mdw            Microsoft Access workgroup information 
.mdz            Microsoft Access wizard program 
.msc            Microsoft Common Console document 
.msi            Microsoft Windows Installer package 
.msp            Microsoft Windows Installer patch 
.mst            Microsoft Windows Installer transform; 
                Microsoft Visual Test source file 
.ops            Office XP settings 
.pcd            Photo CD image; Microsoft Visual compiled script 
.pif            Shortcut to MS-DOS program 
.prf            Microsoft Outlook profile settings
.prg            Visual FoxPro Program 
.rar            Windows Archive
.reg            Registration entries 
.scf            Windows Explorer command
.scr            Screen saver 
.sct            Windows Script Component 
.sh		Shell Script
.shb            Shell Scrap object
.shs            Shell Scrap object 
.url            Internet shortcut 
.vb             VBScript file 
.vbe            VBScript Encoded script file 
.vbs            VBScript file 
.wmz		Windows Media File
.wsc            Windows Script Component 
.wsf            Windows Script file 
.wsh            Windows Script Host Settings file 

It is possible that other extensions will have to be blocked in the future, given that virus authors frequently use new approaches.

Where can I get more information?

If you have other questions or concerns, please let us know by sending a message to us at virus@sas.upenn.edu.