For performance we have to use the least numbers if signatures to clear a area.

For example if we are taking on a standard Linux system.   Particular
directories should not contain anything executable like the man page
directory.   So any executable found in that location is a issue that
can be raised with person as something to look into.   It should fail
to user really even if no signature exists matching it due to its
location in the file system.

Same method can be applied for word documents.   In every business
there will be a stack of archival documents that should not contain
macros at all.

To do this is really adding a few more levels of signatures.    1 lot
of signatures that detect and reject all possible locations a virus
could hide.   Anything that gets past these signatures has to be
clean.   Even better these signatures tune able only to allow
particular groups of files past at the users selection.

This new set of signatures is the only way we can really scan and say
100 percent there is no virus somewhere in that space.  Scanning for
existence of macros inside a word document has to be less than
scanning a word document for every word macro virus created.

We basically need to create 3 list of files.

1 Files that no known way to infect exists.
2 Files that have a known way to infect but don't detect to contain a
3 Files that are infected with something.

All three types have there use.   Users being able to find type 1 and
2 in emails would allow sorting.   Type 1 could go straight threw.
Type 2 could be delayed by 7 days+ so signatures could catch up
closing the race between virus release and signature being released to
kill it.    Other option is business might choose to apply a out going
filter that they can only send not infect able files.

Lets provide the tools for users to attempt to block viruses before we
even know what they are.

Peter Dolding
Please submit your patches to our Bugzilla:

Reply via email to