:
[Declude.Virus] How do we block the next Bagle?This
didn't make it through the first time, so I am sending it along again without
the content that probably tripped the filters.Matt
Original Message Bill,IPLINKED is of course a custom
filter and not a standard feature of Declude
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matt
Sent: Friday, March 19, 2004 4:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] How do we block the next Bagle?
Heuristics!
This was a novel, but lame attempt at exploiting a download
, 2004 4:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] How do we block the next Bagle?
Heuristics!
This was a novel, but lame attempt at exploiting a download
vulnerability. This would have been 1,000 times worse if the virus
dynamically provided a list of IP's from known infected
hives and haven't found anything
that is clear (to me) on how to use the filtering in this manner.
Thanks,
-Bill Naber
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Matt
Sent: Friday, March 19, 2004 4:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Vi
How will we block a virus like Bagle.Q that does not use an auto run
vulnerability?
There's still no attachment to hand off to the mail server's virus
scanner(s).
If the body was VERY standard, it could be pattern matched by Declude.
Add a little random action to the body (and the port used)
Heuristics!
This was a novel, but lame attempt at exploiting a download
vulnerability. This would have been 1,000 times worse if the virus
dynamically provided a list of IP's from known infected computers. This
can be done, and eventually it will be done. The kid writing Bagle has
shown
I'm a big fan of deeper categorization. I believe these are listed in
the Experimental category presently, but due to some of the patterns in
that rule base, I actually score it lower than the others. This change
in particular though wouldn't likely affect us since Scott has been up
on the
To clarify, group 62 is experimental.
Malware is in group 55.
_M
At 05:20 PM 3/19/2004, you wrote:
I'm a big fan of deeper
categorization. I believe these are listed in the Experimental
category presently, but due to some of the patterns in that rule base, I
actually score it lower than the