Interesting thought. However, on my system, that would not work.
I am scanning for viruses first. I block executables within zips. So my point of adding the BANNAME is so that the banned file notice that goes out (until the AV scanners update their defs) does not just have the generic banned file (ZIP-EXE). John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Markus Gufler > Sent: Friday, November 25, 2005 12:21 AM > To: [email protected] > Subject: RE: [Declude.Virus] Another Sober out. (=> idea) > > Thank you John but, > > > BANNAME mailtext.zip > > ...is this really the only name used by this variant? > I'm feeling a little bit bad, while adding and adding BANNAMEs to the > virus.cfg file. > > First as sayd yesterday I feel there are many many BANNAME entries that are > not more accurate or spreading in the wild and so unneccessary load in my > and our config files. > Second it's always the "two steps behind" if we have to adapt our config > files manualy after someone else has discovered a new variant. > > Wouldn't be possible to write a junkmail external test, or maybe also an > "AV-Engine" that does nothing else then looking at a central database for > filenames that are suspsicious. > > I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a > DNS-server containing TLD-zones like .zip .exe .com .... > Then some of us can act as operators and add additional zones like > "mailtext" > > Looking at the case two days ago that I reported with the new bagle variant > it would also be possible to add something like > > 1.exe.ester.zip > 12.exe.ester.zip > 1.exe.emanuel.zip > ... > > Are maybe also with wildcards like > > *.exe.mailtext.zip > > By having bitmasked result codes it would maybe also possible to entries > like > > *.exe*.zip > > with a "suspicious" result code and other more concrete definitions with an > "accurate" result code. > > so admins can use it at they want. > Our administrative work should decrease while new banname definitions will > be available as soon the first of the operators will detect and add it to > the database. > > +as having one (or more replicated) central points we should be able to > notice a relativ high increase of request for exe in zips and so know that > something seems going on. > > What do you think? My opinion is that last week av-companies showed that > they are not able to provide accurate detection-quality. > > Markus > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
