On 1/30/06, Rajkumar S <[EMAIL PROTECTED]> wrote:
> Just wondering how far a signature can go? Does the scanner needs to go back
> and forth in
> a file for scanning or can it scan a stream as it passes by? How far does it
> needs to go
> if it has to go backwards? What about zip files? Do they need to be unzipped
> before
> scanning ?
>
> The idea is to have a small packet queue where last n packets are stored,
> scanned and then
> transmitted in a cyclic fashion. ie first n-1 packets will just gets queued,
> when the nth
> packet arrives, the queue is scanned, and 1st packet is released and nth
> packets is
> appended to the queue. This process is repeated for every packet.
What about out of order packets? What about duplicates...?
The short answer is, no such approach, even if you can get it
performing reasonably well, will be completely effective. You would
be better off defaulting to blocking all outbound traffic and routing
all allowed traffic through proxies or gateways.
Keep in mind that clamav can't catch a virus it doesn't have a
signature for. For there to be a signature somebody has to have
reported it. That means that it has to be in the wild *before* you
can get signatures to detect it. Which may mean that you're already
infected. This isn't unique to clamav.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
