----- Original Message -----
From: "Dallman Ross" <dman(_at_)nomotek(_dot_)com>
To: "Procmail List" <procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE>
Sent: Thursday, February 26, 2004 12:01 AM
Subject: Re: Virus scanning and defense-in-depth
On Wed, Feb 25, 2004 at 05:03:07PM +0100, Robert Allerstorfer wrote:
OK, I see what purpose you have in mind. There is yet another procmail
recipe which seems to do a great job as well, catching all those nasty
known viruses currently spreading around, including NetSky.B, here:
http://agriroot.aua.gr/~nikant/nkvir-rc
Yes. Nick comes by here not infrequently. I think his stuff is
fine, though I've never actually run it. I'm sure he'll enjoy
that you pointed out the link.
Unfortunately not that often any more.. (extremely busy..) And for these
e-mails here talking about YAVR I got informed by a friend.. :(
Well.. about YAVR.. I never said it's a magic wand to solve anyone's
problems.. right? :)
I do my own extensive spam tests under the philosophy of my own
heuristics, and the ones Nick runs in that same file are redundant
for me. There are some things I admire his presentation there.
I don't want to put the kitchen sink all in one package, though.
Moreover, my ideas about How To Do It are, well, just different.
So go ahead and use his stuff, I won't resent it at all, nor will
I think you're making a huge mistake or something. :-) I do
think all those scored body checks on all messages is rather a
bit of overhead of the type that I tried very hard to avoid for
most messages in mine (both in my published plug-in and in my
private spam runs).
I understand that you use a more generic method to keep out of your mailbox
all possible threads. That's fine (and really smaller and better looking
compared to YAVR). My purpose in developing YAVR was to categorize incoming
viruses too. That's why I use signatures for most of them.
One question I do have, looking briefly at that file of Nick's
again, is whether such short viral-signature regex's aren't
veering toward possible false-pozzes. Base64 encodes 3 bytes
into 4. Some of the patterns are pretty damn short, so perhaps
as few as 12 bytes of binary data is used to ID the virus. This
is true of at least one permutation of the signature set I use,
too, though I'm only running it on ZIPs. I don't know what the
false-poz rate would be to that. Maybe not high, but I'm just not
prepared to make a conclusion about it.
Regarding false positives.. Till now I had only one complaint from a user
that tried to find one executable to give a false alarm. And that was
notepad.exe of Windows.. :p
Since then the whole recipe was reorganized and I believe false positives
won't happen again.
Now please forgive me for a long e-mail but since as I said many things have
changed to YAVR and I'll be reading here again.. maybe next month I'll write
down some things about it.
-- features
- trap e-worms with base64 signatures
- iframe html exploit
- CLSID hidden extensions exploit
- xml codebase exploit
- generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe
(who said its not a generic trap :P )
- generic macro detection for doc,dot,xls,xla files
- generic detection for most of nigeria scam e-mails (most of them)
(please remember to configure nigeria scam filter. default is ON)
- generic detection for porn spam e-mails (some of them)
(please remember to configure nigeria scam filter. default is OFF)
-- WARNINGS you receive
for some of the above (plain iframe, clsid, xml, macro) e-mail is
delivered
normally but gets a WARNING in subject plus its old subject. Warnings
are:
- WARNING-XML-CODEBASE-OBJECT-$SUB
- WARNING-CLSID-EXTENSION-$SUB
- WARNING-IFRAME-$SUB
- WARNING-MACRO-$SUB
- WARNING-NSCAM-SCORE:$SCORE-$SUB
- WARNING-PORN-SCORE:$SCORE-$SUB
- WARNING-MS-EXEC-$SUB
-- X- marks in headers
X-YAVR: MS-EXEC (any MS executable that wasn't identified by
signatures)
X-YAVR: NIGERIA (nigeria scam)
X-YAVR: PORN (porn related)
X-YAVR: MACRO (containing macro code)
X-YAVR: XML-CODEBASE
X-YAVR: IFRAME
X-YAVR: CLSID-EXTENSION
X-YAVR: SENDMAIL-EXPLOIT
X-YAVR: VIRUS
With new switches I've added some subject warnings can be turned off
(porn,nigeria,macro,exe) in order not to bother users as it was pointed out
from IPS admins that used it in system wide basis.
Also with switches quarantine of nigeria,porn and unknown executable files
can be turned off and they can be delivered correctly to users if the want
so.
In both cases X- marks remain in headers if someone wants to use them in his
own scripts.
I apologize again for the long e-mail but had to make some things clear.
Regards to all and keep up the virus and spam fight!
Nikos
____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail