Re: Re: Anybody Recognize These Uploads?

["Paul D. Robertson" <proberts () patriot net>]

On Sun, 5 Jan 2003, Christopher Hicks wrote:

> > Not really, most of the common executable types can be filtered without
> > worrying about signatures.  If you're allowing unzipped executables in,
> > you probably need your head examined at this point in time for anything
> > that's not a pure Linux shop, and even then, wine's getting a bit too
> > good...  If you're allowing .[something] and .[somethingelse], well...
>
> True enough.  We have been using MailScanner ( www.mailscanner.info ) for
> virus checking and spam checking, but it filters on configurable
> extensions as well.  It comes with a reasonable set of defaults that
> includes the above.  I can see that most would differentiate virus
> checking and extention filtering, but for me they all came in the same
> ball of wax.

Interestingly, one site has bounced this thread based on the occurance of 
.[somethingelse] in the text.  The biggest problem I have with content 
filters is that they really need to be smarter, or there needs to be more 
care in their setup.  If there was a new way to sneak .[somethingelse] 
through a filter, at least one company wouldn't ever get notifified of it.

I really prefer the "quarentine and let the user come get it" approach for 
keyword filtering- with an admin option to make the quarentine off-limits 
based on a high percentage of quarentines over time, or other criteria.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards