Feature: Winsock level (mail) scanning

Avast Free Antivirus / Premium Security
1

Hello,

I once raised the idea about transparent system level mail (TCP/IP traffic) scanning, but it didn’t make big interest. :cry: http://forum.avast.com/index.php?board=2;action=display;threadid=57;start=285
But now I’ve done some research how it’s done by other AV software like Panda and Norton and I wish to share my little knowledge.

Almost for sure those av pgms are using Winsock 2 layered service provider (LSP) hooks to intercept / modify some functions calls to winsock like recv(), send() and this allow to scan all TCP/IP stream without installing any proxy. This method is quite simple… it’s documented, having samples in Microsoft Platform SDK.
Moreover you are able to modify this stream… and even redirect it, or close connection… whatever you want. Because mail application (or even pure telnet connection) going trough WinSock 1st goes trough your functions that are hooked to WS2 layer.

Nevertheless time ago this idea was negated. However I’m still sure that implementing that in Avast! will stop all those problems with proxy configuration… because no proxy will be needed, and any other pbms. Moreover I don’t agree it won’t lower memory consumption, because it will for sure. For implementing LSP you don’t need any exe running… all you need is single DLL which is hook for the WS2.

This dll won’t need such a complicated logic as it’s now in Internet Mail Proxy… because all it needs is search specific data in the TCP/IP stream… and scan it! Like begginnig of attachment… and so on. This is not complicated at all. Moreover it could scan besides POP3, SMTP, IMAP… some other protos like ICQ, Kazaa… same way.
This would be totally transparent to the user… with low memory consumption and no need for any configuration as it’s the winsock level.

I wish Avast! had that feature… because I like this program as it’s free for home use, has polish UI, and it’s written by Czech ppl that are somehow near friends to the Polish :wink: (even it might sound funny)

Here are references you can lookup:

Regards,

2

Hehe i got the same idea some time ago (not so long) about WinSock.
avast! is top class AV by itself,but Internet mail scanner is too primitive.
I mean it does its job very well if you know how to configure it,but most of ppls don’t,so its pretty hard to explain to them what and where (if mail client isn’t supported by avast!).

I’m not sure,but i think Pavel said something about some high level mail interception that is better than WinSock. Guess they’re working hard on it for avast! v4.5 which is gonna be released this summer (probably hehe).

3

Can anybody from Alwil confirm - or not - this change?
Will the version go from 4.1 to 4.5 ? ;D

4

Well I think that the current solution could be called “high-level” (proxy) and on other hand winsock service is lower level, however you can do it using Transport Data Interface Filter which is very low level (system ICP/IP stack… lower than WinSock API) however it’s not well documented / and there’s only paid documentation, sourcecode from one company at http://www.pcausa.com/tdisamp/tdifilterdownl.htm.
(Is it that you’re stating that Pavel is working on ?)

If anybody can confirm that you’re working on such a feature for Avast! it would be nice… cause it will for sure make me stay with Avast! and even buy Pro version for my office computers.

Best regards,

5

I probably mixed up high and low… :-[

6

OK let me tell something about this.

First: guys, you’re underestimating us. We’re no rookies… :slight_smile: We know how these things work… :slight_smile: We do have certain time schedules… :slight_smile:

Winsock2 LSP is not a way to go, though. Ada$, you’re wrong if youre saying that e.g. Norton uses LSP. It does not. It does use TDI filters, which is the only correct way to do this. LSP are too high on the stack…

About TDI documentation (you mentioned that), don’t worry, we have our own sources… :slight_smile:

That said, moving the Internet Mail provider down to kernel mode is a complex task and requires lots of time (especially for testing). The next major release of avast (that’s coming up this summer) will not contain anything like that…

Take care,
Vlk