Posts tagged ‘MessageLabs’

« Previous Entries

Opportunistic TLS and MessageLabs

November 17, 2010, 8:44 am

Back in February 2008, I suggested to the Sendmail admins that we look into opportunistic TLS.   Like all encryption there is a performance hit.   Unlike S/MIME or PGP the encryption is only during transit between links.   Additionally there is no guarantee that all links will be encrypted.   Hence the word opportunistic.   While you don’t want to get a false sense of security from it, I don’t see a reason not to implement it on a system that has the performance capacity.  

The Sendmail admins added opportunistic TLS to outbound email pretty quickly.   However they found that to add it for inbound email required recompiling Sendmail.   As a result, this was put on the shelf for a while.   Here we are 2.5 years later, and as part of moving Sendmail to a Solaris blade server, they added opportunistic TLS for inbound email.  

There’s always a but…

We use MessageLabs as our secure email gateway.   I assumed that because I could connect to them on port 25 and initiate the command STARTTLS that meant they supported opportunistic TLS.     The exact phrase I used in Feb 2008 was “I suspect messagelabs would then send our inbound email across a SSL session making our email slightly more secure.”   It turns out my assumptions are incorrect.  

Symantec MessageLabs does not support opportunistic TLS (Solution ID: DA_116296).   Solution ID DA_136900 claims that opportunistic TLS is a security threat rather than a security feature.   Because it only encrypts a connection when it can, unencrypted email can be sent.   This is of course true.   But at a minumum, I would know that the connection from my servers to MessageLabs was encrypted.   Final secure delivery would depend on the configuration of the recipient servers.  

It seems to me that Symantec MessageLabs is trying to force customers to purchase their Boundary Encryption product.

I have been informed via the comments that if MessageLabs receives the message via SMTP/TLS they will attempt to preserve that level of security on delivery to the next hop.   That makes sense.   In most cases adding encryption merely for the last hop is pointless.   Sweetness.  

So the onus is back on other mail providers.   I saw a great rant recently on Gmail not providing opportunistic TLS.   

Tags: , ,
Category: General  |  2 Comments

That’s Not from the Copier

July 16, 2010, 4:53 pm

A lot of copiers now have the ability to scan documents and email the result as a PDF. I’ve never quite understood why people don’t take the time to change the default subject line. On a Xerox it is something like “Scan from a Xerox WorkCentre” to something a bit more descriptive. Worse yet, I’ve seen people here send directly from the copier to their external person instead of sending the PDF to themselves, formating the email a bit more and then forwarding it on.

We must not be the only one in this habit. The bad guys are using it too. I just saw some virus alerts on our inbound email.

Subject: Scan from a Xerox WorkCentre Pro $3609550
Virus: Packed.Generic.306
From the Symantec website: “Packed.Generic.306 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from anti-virus software.”

No file name was listed in the virus alert, so I thought this might be a false positive. Since I don’t have access to release quarantined messages to myself, I checked the source IP. The IPs I checked were from Guatemala. Between that and the fake looking source email address, I’d say this is definitely malicious.

Update: Here’s a link to a Barracuda blog post on the subject.

Tags: , ,
Category: Antivirus  |  1 Comment

Symantec buys PGP and GuardianEdge

April 29, 2010, 12:08 pm

I’ve been waiting for Symantec to buy GuardianEdge ever since they started selling a rebranded GuardianEdge encryption product. It seems every other endpoint security company bought a dancing partner over the past year or two and Symantec was merely renting.
When Symantec bought MessageLabs, I was very concerned. I like MessageLabs and was afraid of what Symantec would do to it. When Symantec bought IMLogic, I felt the technical support and the product vision totally went in the crapper. Fortunately MessageLabs had a strong position to prevent that from happening to them as well.
Regular readers of my blog will know I’ve had a lot of issues with GuardianEdge support over the years. At this point I don’t know if GuardianEdge support will be internalized by Symantec or remain as a separate team. Either way it can only get better.
I’m wondering what it means that they bought both PGP and GuardianEdge. It seems kind of redundant. PGP adds secure email. But I’m not sure what else. Not sure if PGP already has the mobile encryption that GuardianEdge currently licenses from TrustDigital.
I would expect that by the time of our next renewal encryption will be an option for a Symantec Endpoint Suite and our overall dollar spent will go down. I expect this purchase to be a good thing.

Tags: , , , , ,
Category: FDE  |  Comment

Zscaler protects against IE Zero Day

March 10, 2010, 11:20 pm

On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.

Tags: , , , , , ,
Category: Microsoft  |  4 Comments

Email Security

October 21, 2009, 12:53 am

Last Friday Purewire blogged about a fake Microsoft Outlook update that one of their employees received via email.
Typically when a security company blogs about an email virus they’ve seen in the wild, it clear that its something the research team found, or something that got through to a home address or to their wife’s company etc. In this case I didn’t see any attribution like that. In fact, the redacted cut and paste clearly shows it sent to a @purewire.com address. That says to me Purewire’s corporate email security is kind of lacking. Not the message you want to post to your company’s blog.
A virus making it to a end user via email is not the sort of thing I would expect to see at my company much less a security company. The email had a zipped attachment which contained a EXE file. That right there would have been stripped at many companies. How many times has a EXE in a Zip been a good thing. I’m not a big fan of stripping attachments, even by file type or extension. Regular readers know I recommend MessageLabs for email security. Obviously Purewire couldn’t use them for email since they compete in the web SaaS space and just got bought by Barracuda.
So what type of email security does Purewire have currently? It looks like their mail server is Zimbra. I could be wrong from my two minutes of searching, but it appears that ClamAV is the antivirus protection used with Zimbra. As Steve Spurrier said when he coached the Redskins “not too good.”
While I wrote this mainly to tease them, I am thinking now its more serious. These guys expect me to send my web traffic through their SaaS towers. I need to believe their internal processes are mature.
Now they may come back and say that the message actually did get stopped before reaching a users mailbox. That would render my post moot. But it doesn’t say that now. It says ” a Purewire employee received an email.”

Tags: , , ,
Category: General  |  Comment

Barracuda’s Purchase of Purewire

October 19, 2009, 3:45 pm

The 451 Group has a blog entry on the Barracuda’s purchase of Purewire. I am currently evaluating Purewire. This article had some tidbits I hadn’t seen in other analysis.
I had noted that the Security as a Service webspace was getting a bit crowded. ScanSafe as this article notes is the granddaddy of them all. Anyone who uses MessageLabs for email should be checking them out. Webroot has an offering. ZScaler and Purewire are two names I’d come across this year. While it appeared a bit like Purewire latched onto the first warm body they could find, selling early does make sure you aren’t left standing alone at the end of the night.
The 451 Group makes an interesting comment that perhaps BlueCoat would have been a better fit. That would have been very interesting to me. I’m not such a big fan of Barracuda. Venders with radio ads are not targeting infosec people like me. That didn’t turn me off on them so much as the Backscatter they’ve caused with their (previous) default settings.
451 says Purewire has 200 customers. That is beyond small. Larger companies see a lot of web traffic. Even if something were going to escape detection, odds are good that they would be reported by another company first and protection added. Hopefully Barracuda will add more viability than Purewire has currently
451 stated “bake-offs are the exception rather than the rule” in web security. I find that kind of hard to believe. As critical as web traffic is people dont look at multiple venders? Its so easy to set up an eval.
Ultimately my evalutaion of this purchase is “at least its not CA.”

Tags: , , , ,
Category: General  |  Comment

MessageLabs Adds Public IM Security Service

June 16, 2009, 2:02 pm

This is interesting. After I wondered yesterday about the applicability of IM security products that ignore social networks, MessageLabs announced the launch of a new public IM security service. The solution does not address any of the problems I mentioned.
The press release mentions AOL’s AIM, Yahoo! Mail and Microsoft MSN, but does not mention Google Talk. This service protects public IM protocols whereas the existing Enterprise Instant Messaging product (from the purchase of Omnipod) is a enterprise product competing with OCS/LCS.

Tags: , , ,
Category: General  |  Comment

MessageLabs HTTP Security Webcast

January 29, 2009, 9:28 pm

I watched a MessageLabs HTTP Security Webcast earlier today. I have evaled their product both when they were reselling Scansafe and once since they implemented their own solution.
As anyone reading this site already knows, there was a big uptick in malware served by legitimate sites at the end of 2008. SQL injection and other tricks were used to get malicious code to load from legitimate websites. The old advise about “dont click on this or that” just doesn’t work when its a common site compromised to serve the malware.
Spyware is even more sneaky. They use boxes that appear to be Windows Update. They pretend to be a needed codec. They masquerade as security software. They even get accepted as advertisements on legitimate banner ad networks.
As user details are stolen (such as in the Monster.com hack) or voluntarily disclosed on social network sites, a treasure trove of material for a targeted attack is put into the bad guys hands. That combined with public data found on genealogy sites and voter registration rolls, makes it possible to craft emails that appear to be legitimate because they already know so much about you. The questions used to reset the password on your accounts are easy to find answers to as many celebrities have experience much to their chagrin.
The need for advance web security is obvious. With MessageLabs web security, they use two antivirus engines and a pared down version of their Skeptic heuristic engine. Its my belief that this will provide better security than competitors.
What has kept me from implementing this solution in the past is the desire to avoid using a direct proxy. Transparent proxies work better in my opinion. MessageLabs provides a proxy for the corporate network so that internal usernames and IPs can make it to their logs (otherwise with NAT they’d only have your firewall IP as the source). I hear this proxy is a customized Squid proxy. While Squid supports WCCP, this is not something MessageLabs has supported to my knowledge. I looked at their instructions for Checkpoint to forward traffic transparently to MessageLabs. That did not solve the problem of their logs only having the firewall IP address.
While Direct versus Transparent is still a challenge, I did learn in this webcast that MessageLabs is going to be announcing a new feature next week that I’ve been looking forward to. While they didn’t say not to pass it on, I’m going to self-embargo. So hopefully I’ll get another blogging opportunity after I’ve check out the new features.

Tags: , , , ,
Category: General  |  Comment

Can MessageLabs improve Symantec Antivirus

November 24, 2008, 8:45 pm

I rescued an old comment from Akismet (the spam filter I’m using on the blog) because it asked a interesting question. How can Symantec’s acquisition of MessageLabs improve their desktop antivirus.
My first reaction to this is that MessageLabs Antivirus can’t be duplicated at the desktop. They use multiple antivirus engines in addition to their own Skeptic engine – a collection of heuristic detections. Multiple scan engines work on gateway servers, and Microsoft Antigen/Forefront/whatever uses multiple engines on Sharepoint. But at the desktop performance is needed. Also don’t quote me on this, but I thought I’d read that the Skeptic database has a huge ruleset. That also doesn’t lend itself well to desktop performance.
Multiple antivirus vendors are now looking at implementing antivirus in the cloud. In this model, new/unknown files are sent to the cloud for analysis. Skeptic would fit in well in Symantec’s implementation of that model.

Tags: , , , , ,
Category: Antivirus  |  Comment

Symantec buys MessageLabs

October 8, 2008, 9:55 am

Symantec buys MessageLabs the leader in email security. Press release is here.
I was just talking to my old sales rep last week about ML on the market. It seemed to me that MessageLabs sold its ISP Star to make it easier to sell itself.
There is some good things here. Both Symantec and MessageLabs seem to have top notch anti-virus groups. I hope they dont feel they can eliminate redundancy.
I am concerned based on my past experience when Symantec bought IM Logic. Support immediately dropped from the excellent level that IM Logic maintained to the hit or miss quality of Symantec. I also felt that development slowed significantly for a time.
When Microsoft bought Sybari they added their own antivirus engine and eventually dropped some of the available engines in Antigen(I think I’m remembering that right). I’m not actually sure who MessageLabs is using right now, but I’m sure Symantec AV (crappy as it is) will be in the mix shortly. MessageLabs support has told me in the past which antivirus engines they use in email but they don’t advertise it because they want to be able to make changes to have the most effective defenses.
Here is hoping that the changes will be positive. For the past 5 plus years that I’ve used MessageLabs nothing beats them for email security.

Tags: , , , , ,
Category: Antivirus  |  2 Comments
« Previous Entries