Vulnerability Development mailing list archives
Re: Another new worm??? (technical)
From: 11a () GMX NET (Bluefish)
Date: Fri, 23 Jun 2000 15:08:16 +0200
To begin with, you assume the filter to act on the information most easily "polymorphed". Obviously you could do far more advanced filters which aims at things less easily modified. However, you assume you need to scan against everything. But actually, email viruses doesn't have that a long lifespan (probably because they're easily detected) For many applications a defence which stops the 3 most common spreading email viruses will be enough. As an example, an administrato notices a problem (or recieves an alert that a new email virus is spreading rapidly) he could issue a temporary filter to stop it and then make sure that a) all workstations are patched (fixing technical vulnerabilities) and b) warning the users (fixing the human vulnerbalities). And yes. The outlook virus-friendly viruses are easily disabled. If these AV-vendors who so reasonly wanted us to trust them really wants to stop viruses, why don't their utilities offers automatic detection and removal of virus-friendly (insecure) settings and DLLs? After all, they do know that very, very few users actually use macros, scripting email etc. (/me still not able to stop laughing after the wild accussations...)
At some point, you'll notice that when you have to apply 100 or 1000 filtering rules to each and every message - there will be a performance hit on your server. This is exactly what happened with conventional signature based conventional anti-virus scanning. Let's not even talk about a situation where you have to apply 10.000 filtering rules to 10.000 e-mails each day. Don't forget that most harmless e-mails will by definition have to go through the entire set of rules.
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Dan Schrader (Jun 20)
- Re: Another new worm??? Blue Boar (Jun 20)
- Re: Another new worm??? Bennett Todd (Jun 20)
- Re: Another new worm??? ~jim (Jun 20)
- Re: Another new worm??? Justin Randall (Jun 20)
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? Dan Schrader (Jun 20)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Christofer C. Bell (Jun 22)
- Re: Capturing System Calls Steve Mosher (Jun 22)