Full Disclosure mailing list archives

Re: antivirus s/w

From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 27 Jan 2004 18:01:56 +0100

Greetings!

On 27 Jan 2004 06:51:55 -0800 merlyn () stonehenge com (Randal L. Schwartz)
wrote:

Patrick> 1. I'm trying to decide on an AV solution for a campus wide
n/w. Patrick> I'm basically looking for something that'll respond as
quick as Patrick> possible to new viruses. I'm currently evaluating
NAV, and Fprot. Patrick> Any other suggestions/recomendations?


PLEASE MAKE SURE that it doesn't send email responses.
I'm getting 500 mydoom an hour.  I can filter those.
I'm getting 1500 AV-responses an hour.  I can't filter those.
AV response email is PART OF THE PROBLEM now, not PART OF THE
SOLUTION.



e.g. with Postfix MTA you can use the mime_header_checks filtering quite
successful and without response mails. And most times it's effective
even without pattern updates...


(beware of possible line breaks)


main.cf:
--------
mime_header_checks = regexp:/etc/postfix/mime_header_checks



mime_header_checks:
-------------------

### -----------------------------------------------------------------------
# known viri
#
/^.*(file)?name="?.*(your_details|your_document|document_all).pif.*\.(bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/
 DISCARD  Found Sobig.F virus - clean your computer.

### -----------------------------------------------------------------------
# temp. virus blocks
#
/^.*name="?(doc|message|readme|text|test|document)\.zip"?/i DISCARD Probably found Novarg/MyDoom virus - clean your 
computer or re-send attachment with different name.

### -----------------------------------------------------------------------
# executables
#
/^\t(file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ 
DISCARD Found executable attachment. Re-send packed in ZIP archive if valid requirement.
/^Content-(Type|Disposition):.* 
(file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD 
Found executable attachment - probably virus. Re-send packed in ZIP archive if valid requirement.



Bye

Volker Tanger
ITK-Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

antivirus s/w Patrick J Okui (Jan 27)
- Re: antivirus s/w Gadi Evron (Jan 27)
- Re: antivirus s/w Dennis Opacki (Jan 27)
- Re: antivirus s/w Luca Mihailescu (Jan 27)
- Re: antivirus s/w Randal L. Schwartz (Jan 27)
  - Re: antivirus s/w Patrick J Okui (Jan 27)
  - Re: antivirus s/w Volker Tanger (Jan 27)
  - Re: antivirus s/w Gustavo A. Lozano (Jan 27)
  - RE: antivirus s/w Steve Wray (Jan 27)
    - Re: antivirus s/w William Warren (Jan 27)
    - Re: antivirus s/w I.R. van Dongen (Jan 27)
- <Possible follow-ups>
- RE: antivirus s/w Jos Osborne (Jan 27)
  - RE: antivirus s/w Bryan K. Watson (Jan 27)
    - Re: antivirus s/w Damian Gerow (Jan 27)
- RE: antivirus s/w Kevin Cherry (Jan 27)
- RE: antivirus s/w Kevin Patterson (Jan 27)
  - Re: antivirus s/w Georgi Guninski (Jan 27)