Yeah, maintaining BANNAMEs is not a good long-term solution. I've tripled my list in the last week with the new variants.
Since filenames are becoming more dynamic, and we will most likely start seeing significant overlap with legitimate filenames soon, I would amend this by having the DNS-based lookup use parameters that describe the file instead, like maybe filesize and CRC. I don't know if Declude is interested in this, but if not it shouldn't be too hard to whip up an external test that determined these and looked up against either a specialized DNS lookup, or a downloadable list. Seems like AV companies need to start using more advanced pattern matching to catch these variants, rather than relying on specific signatures. Darin. ----- Original Message ----- From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, November 25, 2005 3:20 AM Subject: RE: [Declude.Virus] Another Sober out. (=> idea) Thank you John but, > BANNAME mailtext.zip ...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the "two steps behind" if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an "AV-Engine" that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com .... Then some of us can act as operators and add additional zones like "mailtext" Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a "suspicious" result code and other more concrete definitions with an "accurate" result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
