Some time around 8/21/2003 04:58:25, I think I heard Professional Software
Engineering say:
To be honest, I haven't run your filter (seeing as the generic executable
filter I already have in place catches the viruses and worms just fine),
but unless something from the first batch of conditions is always expected
to match (or conditions outside of the individual variants dp), then a
batch of 5 200 weight conditions is only going to bring the score to ...
1000. The math:
-1000
+1000
= 0
which won't trigger the recipe, since you need a positive score to do that.
Hello,
I think that out of brevity Fredrik didn't include the entire
recipe. But the section for the Sobig virus in YAVR includes many
other variants, and an additional condition at the top that is common
to all:
#for Sobig
:0BD
* -1000^0
* 200^0 ^TVqQAAM <<-- This will add 200 to all variants
* 200^0 K/cBHSx
* 200^0 rZVJizb
* 200^0 DrVitFc
* 200^0 rolkJrX
* 200^0 zt8P9pT
#Sobig-b
* 200^0 gHB/e2v
* 200^0 j1qLR/m
* 200^0 dAgyJY8
* 200^0 0SOIV7x
* 200^0 Gw47Qgh
#Sobig-c (by Fredrik Rodland)
* 200^0 BSj0hvF
* 200^0 HN8EMuX
* 200^0 LvRtJdz
* 200^0 MdFFlfN
* 200^0 oikgcxQ
#Sobig-gen
* 200^0 /HrcLhs
* 200^0 qfZjXLv
* 200^0 msFydo9
* 200^0 iJGZx/6
* 200^0 Gg7aCZs
#Sobig-gen (UPX packed and scrambled)
* 200^0 v0ibwKA
* 200^0 CDH2kTw
* 200^0 YBdt6zE
* 200^0 nblNbDU
* 200^0 jWqE0Z6
#Sobig-f
* 200^0 IOsT73k
* 200^0 eGYh2Eo
* 200^0 cb07glg
* 200^0 G\+Q1KAS
* 200^0 WaUYonD
{
# Do the thing here...
}
This is apart from the additional conditions wrapped around this one
that checks if it is an executable. So by the time we get here, we
are only scanning potential viruses -- not all messages.
You are right, blocking incoming executables might suffice for most,
specially with the high traffic of viruses lately. But YAVR not only
scans them and blocks them, but classifies them as an added feature,
so you can be absolutely sure that what went thru *was* in fact a
virus, and which kind. It sets it aside for further inspection if
necessary. Of course, this behaviour is not desired by everyone.
-dZ.
--
:[ DZ vs. THE WORLD]==- -- - -
Hating anything, everything and everyone since 1996.
--
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail