Re: Another new worm??? (technical)

[11a () GMX NET (Bluefish)]

To begin with, you assume the filter to act on the information most
easily "polymorphed". Obviously you could do far more advanced filters
which aims at things less easily modified.

However, you assume you need to scan against everything. But actually,
email viruses doesn't have that a long lifespan (probably because they're
easily detected)

For many applications a defence which stops the 3 most common spreading
email viruses will be enough. As an example, an administrato notices a
problem (or recieves an alert that a new email virus is spreading rapidly)
he could issue a temporary filter to stop it and then make sure that
a) all workstations are patched (fixing technical vulnerabilities) and b)
warning the users (fixing the human vulnerbalities).

And yes. The outlook virus-friendly viruses are easily disabled. If these
AV-vendors who so reasonly wanted us to trust them really wants to stop
viruses, why don't their utilities offers automatic detection and removal
of virus-friendly (insecure) settings and DLLs? After all, they do know
that very, very few users actually use macros, scripting email etc.

(/me still not able to stop laughing after the wild accussations...)

> At some point, you'll notice that when you have to apply 100 or 1000
> filtering rules to each and every message - there will be a performance
> hit on your server. This is exactly what happened with conventional
> signature based conventional anti-virus scanning. Let's not even talk
> about a situation where you have to apply 10.000 filtering rules to
> 10.000 e-mails each day. Don't forget that most harmless e-mails will
> by definition have to go through the entire set of rules.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team