On Thu, 04 Mar 2004, 04:22 GMT-08 (13:22 local time) Professional
Software Engineering wrote:
Yea, and the point was that you were claiming that some "unnamed" app
didn't isolate these. No need to NOT name it - go ahead, it's useful
information for anyone wanting to check the data for themselves. While
you're at it, you might identify the version/date of the virus definitions
used.
OK, I was using AVG 7.0.224 with Virus database 262.1.4, dated at
2004-03-03.
No offence, but it seems suspiciously like your script "identifies" these
files as infected merely because they contain executables, not because they
are actually _infected_ executables.
My tool does exactly what it is intended to do, nothing more and
nothing less, as stated in the ReadMe which is viewable at
http://www.softlabs.info/antivirus/SoftlabsAV/ReadMe.txt
It detects if a mail has an attachment containing a Windows Executable
that is most likely a virus, no matter if the "bad" Executable is
attached directly or packed within a ZIP attachment (which may also be
encrypted). Such mails will be marked by adding a "X-Virus-Filter"
header, stating that they have been found to likely be infected.
Then, the infected mail will be moved to a Quarantine directory. In
addition, all viruses can be extracted and stored within a "viruses"
directory, to be able to scan them using an external Virus Scanner.
For me, it has already isolated lots of viruses, and it did not let
any single infected mail through. All isolated files have in fact been
viruses, as scanning with another software showed.
This is exactly my goal: filtering mails that most likely contain a
virus, *without* identifying them if they are in fact infected. So it
can be used as a permanent first layer protection, without the need of
providing virus definitions, which would be (1) a hassle, (2) never up
to date, and (3) an overhead. Scanning each and every mail for dozens
of known signatures may be useful during the first days a new virus
got wild, but is useless after a few days. Currently, I am not
receiving any other virus than Bagle.J, Netsky.D, Netsky.C and
Netsky.B. Therefore, even scanning for Netsky.A would be completely
useless today.
But, for people afraid to get mails isolated on a false-positive basis,
I have added the following machanism to the current version 0.3: If
EXTRACT_VIRUSES has been turned on, the VIRUSFILE variable always
holds the full path to found-to-be virus file, before quarantening the
mail.
This allows one to plug a third-party scanner before the mail would
usually be moved into the quarantene directory; and moving could be
prevented if the external scanner does not identify the "virus" file
as infected. Personally, I don't need this overhead, since I have a
zero false-positive rate and check the isolated viruses manually, from
time to time.
rob.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail