It is possible to "renumber" any rule or rules upon request, but I think for the purposes of this discussion acting on matches in group 55 should suffice for most.
Specifically, I think it is very safe to hold on group 55.
Hope this helps, _M
PS: Note that the demo rulebase has been upgraded some time ago to expose this group as well as the gray hosting group.
At 05:11 PM 3/19/2004, you wrote:
Perhaps Pete from Sniffer could assign a new Message Sniffer Result Code just for these heuristics.
We could then assign a hold based on this specific result code.
Scott Fisher Director of IT Farm Progress Companies
>>> [EMAIL PROTECTED] 03/19/04 03:42PM >>> Heuristics!
This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers.
If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's.
Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future.
FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on.
Matt
Greg Little wrote:
> How will we block a virus like Bagle.Q that does not use an "auto run" > vulnerability? > There's still no attachment to hand off to the mail server's virus > scanner(s). > If the body was VERY standard, it could be pattern matched by Declude. > Add a little random action to the body (and the port used) and here we > go again. > > The latest batch of Bagle's (Q,R,S,T) can be blocked because, while > not a virus, it breaks the rules. > (Auto run using a hole in MS outlook) > > The next version may be the same, except the user has to run it by hand. > Just a 1 K e-mail with a link to a recently compromised PC. > > When will it end?????????? (or at least slow down) > > PS Scott, > Thanks for the recently added Vulnerability blocking. (for Q R S & T) >
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.