A good thought, but will probably be tough to convince a Sophos, etc to go along w/ this w/o a very strong customer demand... profits are still king...
Tough to implement, but a good idea... -- Tom On Tue, 3 Aug 2004 11:40:19 -0400, Clairmont, Jan M <[EMAIL PROTECTED]> wrote: > How fast is fast? The time it takes an av, spyware or firewall > company to react to a real-time threat. I think there is going > to have to be a pooling of anti-virus, mail sweeping and firewall > protection knowledge. There should be a central policy that > can be reported and distributed to the various vendors and > clients that autoupdates the protecting software. Simply a > crisis-mail-alert with appropriate information for translation into a protecting > shield that updates all av, mail and firewall > utilities. > > Has anyone written or read a spec. on standardizing worm, virus > or other alerts with not just there's a'sploit, but a method of > reporting the 'sploit or adware, malware in a way that the > vendors and clients could instantly counter with a new filter or > fix? > > Information such as. > Such as the Virus, Malware, Spam type. > Then filtering fingerprint, > Associated dll update, or where to get it from approved vendor lists. > etc. > etc. Time of discovery, Place, > Description of malicious effect etc. > > Does anyone have any ideas on this? Is there an RFP on this > particular subject of universal alerts with fix etc. etc? > > Because the time consuming list watching is just not standardized. > What vendor and when it comes time to update is a matter of > when they get around to it. By that time the cows are out of the > barn and we are like the volunteer fire department, foundation > savers. By the time everyone gets out of bed, rushes to the firehouse and gets to > the scene there is nothing left but a foundation to save. > > A Universal Internet Security Alert system with fix, signature etc. should be > implemented, when one finds the fix they would be obligated to put the fix into an > alert database that all vendors could use. It would be non-vendor specific and > universal to all updates. > > Any other thoughts would be welcome. > Part of the problem I see would be how to secure the reporting itself. It would > have to be through a specific Agency, > with signature and encryption that is fairly fool proof and secure. > A centralized database that can then be created and then an > alert issued where everyone can go and get the fix, signature or > whatever and automated. Right now every vendor has its own. > > Thoughts, > Jan Clairmont > Firewall Administrator/Consultant > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Todd Towles > Sent: Tuesday, August 03, 2004 9:53 AM > To: 'Denis McMahon'; 'fd' > Subject: RE: [Full-Disclosure] broken virus / worm email has attachment > not found by grisoft proxy scanner > > I have seen this type of e-mail on my yahoo account at home. I just guessed > it was a corrupt e-mail put out by some e-mail virus circling the internet. > It wouldn't by the first time or the last. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Denis McMahon > Sent: Tuesday, August 03, 2004 6:39 AM > To: fd > Subject: [Full-Disclosure] broken virus / worm email has attachment not > found by grisoft proxy scanner > > Hmm > > I've had a couple of suspicious emails this week with headers, blank > line, a line of text, mime headers. > > Thunderbird doesn't see the mime attachment due to the broken headers, > which is good, but nor does the grisoft email proxy scanner, which is > bad, especially as I guess that certain broken applications (no I don't > have outlook [express] on my system) might try and be snart and find the > attachment. > > This might be broken malware sending unusable stuff out, but my worry is > that somene may have found a technique that will sneak an attachment > past some a-v scanners in a "broken" format that certain popular email > apps will try and fix, possibly putting active malware on the hard disk. > > I tried to talk to grisoft about this, but all I get back is "you have > to pay to talk to us cheapskate" ... whilst I can agree that they might > not want to provide tech support to users of their free scanner, does > anyone have an email address at grisoft for submitting suspicious items > that have got past their proxy scanner? > > Denis > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Thomas Reidy [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
