Thank you John but, > BANNAME mailtext.zip
...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the "two steps behind" if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an "AV-Engine" that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com .... Then some of us can act as operators and add additional zones like "mailtext" Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a "suspicious" result code and other more concrete definitions with an "accurate" result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
