RE: [Declude.Virus] MS05-16 Exploit

[Dave Marchette]

Title: Message

Perhaps a new feature in Declude that can be implemented during an outbreak(before the slow AV guys create defs) which reverses the logic of the BAN module, making it an ALLOW module.   For instance, ban all extensions except those specifically allowed-  this creates its own problems such as forcing users to conform to renaming files in a specific way to get them through, but may solve part of the CLSID issue.            -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NIck Hayer Sent: Tuesday, May 31, 2005 2:55 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] MS05-16 Exploit Hi Andy, Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector.   They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff!   The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .doc Well this  won't be effective becase folks now rename extensions as a matter of course to get clean files through  eg - .exe > .e_x_e    :)   Leave it up to your antivirus scanner. Perfect and thanks for the insight. -Nick