RE: [Declude.Virus] How do we block the next Bagle?

2004-03-23 Thread Bill Naber
: [Declude.Virus] How do we block the next Bagle?This didn't make it through the first time, so I am sending it along again without the content that probably tripped the filters.Matt Original Message Bill,IPLINKED is of course a custom filter and not a standard feature of Declude

RE: [Declude.Virus] How do we block the next Bagle?

2004-03-22 Thread Bill Naber
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Friday, March 19, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] How do we block the next Bagle? Heuristics! This was a novel, but lame attempt at exploiting a download

RE: [Declude.Virus] How do we block the next Bagle?

2004-03-22 Thread Bill Naber
, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] How do we block the next Bagle? Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected

Re: [Declude.Virus] How do we block the next Bagle?

2004-03-22 Thread Matt
hives and haven't found anything that is clear (to me) on how to use the filtering in this manner. Thanks, -Bill Naber -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Friday, March 19, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Vi

[Declude.Virus] How do we block the next Bagle?

2004-03-19 Thread Greg Little
How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used)

Re: [Declude.Virus] How do we block the next Bagle?

2004-03-19 Thread Matt
Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown

Re: [Declude.Virus] How do we block the next Bagle?

2004-03-19 Thread Matt
I'm a big fan of deeper categorization. I believe these are listed in the Experimental category presently, but due to some of the patterns in that rule base, I actually score it lower than the others. This change in particular though wouldn't likely affect us since Scott has been up on the

Re: [Declude.Virus] How do we block the next Bagle?

2004-03-19 Thread Pete McNeil
To clarify, group 62 is experimental. Malware is in group 55. _M At 05:20 PM 3/19/2004, you wrote: I'm a big fan of deeper categorization. I believe these are listed in the Experimental category presently, but due to some of the patterns in that rule base, I actually score it lower than the