Re: [Clamav-users] Virus Distribution

Wed, 08 Sep 2004 15:26:46 -0700

Those certainly could be it, but it is unusual compared with the other viruses we see daily. I wonder if there is more to this one than has been foun yet.


On Sep 8, 2004, at 12:40, Timo Sch�ler wrote:

Thus spake Doug Hardie sometime Today... 

On Sep 8, 2004, at 12:16, Timo Sch�ler wrote:

Doug Hardie wrote:

I have a cron job that scans the clamd.log file every day and counts the specific virusus found. While the numbers tend to vary a bit from day to day the relative ratios between the various viruses found tend to stay the same - except for Worm.Zafi.B. One day it will find 1100 of them and the next day 8. It is never consistent. I am not seeing any significant number of viruses slipping through. It seems to be some sort of distribution issue with that virus itself. The others all seemed to come on strong at first and then die down to residual annoyances. But not this one. It keeps coming back in volume periodically. Any ideas what makes this one so different from the rest? 

perhaps this may be interesting stuff for you:

http://www.cs.berkeley.edu/~nweaver/sapphire/

Thanks but I would expect from that that the worm activity would tend to die down to a relatively constant nuisance level. However, its not doing that every couple days I get another flood of them. 

there may be several reasons:

i) changing network behaviour (route flaps, etc.)

ii) changing effectiveness of virus filters et al.

iii) built-in automatisms in worm/virus itself

NB: it is not always best to spread a virus/worm at the highest available speed (depends on number of infected hosts, bandwidth available to the hosts, etc.).

i'm sure i missed another point i didn't think of now ;)

--
mit vorzueglichster Hochachtung/best regards,

Timo Schoeler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to