At 19:06 2004-03-09 +0100, Robert Allerstorfer wrote:
On Tue, 09 Mar 2004, 09:07 GMT-08 Bryan Koschmann - GKT wrote:
> Has anyone figured out a good recipe to block the bagle/beagle virus? I've
> been searching around and having found anything. If anyone has I would
> love to have it.
yes, this one has has blocked all of them:
http://antivirus.softlabs.info/
As per a previous exchange on this topic here on this list, it should be
noted that this set of recipes doesn't actually identify the file as a
virus (or any other form of malware), but rather quarantines zips which
contain executable files.
I am not bashing the author for his work - merely clarifying that the
recipe set in question will quarantine ANY zipfile which carrys an
executable, which is NOT the same as _scanning_for_viruses_, nor is it
purpose-built to identify specific viruses (i.e. it catches Bagle because
it's an exectutable within a zipfile). Before you go through the motions
of installing, it'd be good for that to be clear right up front.
If you're in the business of exchanging program binaries with people (oh,
say, because you're a software developer), this particular quarantining
method may impact your ability to exchange files with people, since you'll
lose the ability to receive executables within ZIP files (which has for a
long time been the standard way to exchange binaries without risking them
to discarding by generic malware checks).
Possible (though klunky) workarounds include:
* zip the zip (so that the received zipfile contains a zipfile which
contains your intended binary).
* change the extensions of executable files within the zip. This
would be more painful than the above, and prone to user error.
* at least as far as the incarnation of the softlabs filter I
examined,
you could ensure that the FIRST file in the zip was something other
than an executable binary, since the recipe seemed to examine just the
first zipfile entry. This would be even more prone to error than the
previous two workarounds. I do wonder how long it will be before the
zipfiles are carrying other selected text files along for the ride
though, which will necessitate checking the complete contents of the
zipfile instead of just the first entry.
* similar to above, one might insert a file which the recipe could
be modified to look for that basically says "this ZIP is kosher
regardless of your first impression". This is pretty useless, since
if your senders are adding this, they could just as easily be
added to
a sender greenlist.
* I use PKWare "AV" (Authenticity Verification) signing for files
which I distribute (via a licensed PKWare package). There's the
remote possibility of modifying the softlabs recipe to support
checking for a signed file and allowing it to pass unscathed if the
signage is found in a flat-file db. Problems include the lack of AV
signing support in non-PKWare ZIP tools, as well as the necessity of
the sender to have a registered AV code (you don't simply self-sign:
the code is issued to you by PKWare).
* Similar to the above, one could require that desired files be sent
within PGP-signed messages. The filter could check for good signage
and allow passage when the message is from a recognized sender.
Both of the last options place a software burden on the sender, and also
require the (presumed to be /etc/procmailrc invoked) filter to support
per-user databases (you could implement them site-wide, but that just seems
wrong, IMO).
Because ZIPs have typically been a safe way to pass around files(*),
quarantining executables which arrive as-is, whether actually confirmed to
be malware or not, has not generally been too disconcerting, since
_intentionally_ sent files could always simply be zipped, which was
something presumed to require human operator action on the sending
end. Mass quarantining them will have adverse affects on users who rely on
this method for exchanging files (and who don't simply park files in
ftp/webspace).
* I am _well_ aware that BBSes frequently conveyed viruses within zipfiles
because users would get infected before they zipped up some file that they
posted to the BBS, or the BBS would auto-archive uploads to speed downloads
for other users (and add BBS advert files and crap). As far as email goes
however, ZIPs have traditionally been fairly safe, since the viruses
sending themselves around via email usually relied upon some dolt just
clicking on the attachment, not actually having to extract and THEN click
on it (and these new ones, requiring the dolt to enter a zip password to
extract, then go run the attachment). It takes a special breed of
neandertal to accomplish that.
I used to participate heavily in BBS'ing (shouts to Auntie! <g>), and ran
tools like "ZIPZAP" which mass-converted archives to zip, including
recursion, adscrubbing, and virus scanning (all via external tools), plus
optimal recompress (using whichever tool you actually used - didn't need to
be ZIP really). I've also written real a/v scanners and disinfectors for
specific viruses right after they'd come out - back in the day when the big
boys went a month or so between updates, which was unacceptable for BBS
operators who were entrenched in the front lines and who well understood
that their systems were a primary distribution vector for new viruses.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail