Selectively quarantining on virus name
Malcolm Ray
M.Ray at ULCC.AC.UK
Fri Aug 22 01:07:55 IST 2003
> >>> mailscanner at ECS.SOTON.AC.UK 8/21/2003 9:55:55 AM >>>
> At 16:03 21/08/2003, you wrote:
> >mikea wrote:
> >
> > > Considering the evolutionary path we see worms/viruses following,
> > > would it make sense to retain the current "Silent Viruses" list
> > > for the time being, but add a "Notify About Viruses" list which
> > > listed the ones for which infection notices should be sent, with
> > > an eye to eventually removing "Silent Viruses" processing?
> >
> >I'd second that, particularly if the "Notify About Viruses" could use
> >regex matching. This would be useful since most of the vendors seem
> to
> >encode some kind of description of the virus type in its name. For
> >example Sophos names Word 97 Macro viruses as WM97/virusname. This
> way we
> >could choose to send notifications for macro viruses (which tend to
> appear
> >in documents sent by users) but ignore other types of virus.
>
> I could do that. The simpler thing to do is change the default setting
> in
> new installations to *not* send sender warnings at all ("Warn Senders =
> no").
>
> Thoughts?
[Sorry, I'm piggy-backing onto this message because the earlier messages
were from before I subscribed. And I'm going a bit OT]
I agree with Mike's thinking (as usual!), but ISTM parsing the output of
an AV package to find the virus name, and then consulting a list which must
be kept up to date separately, is a kludge. A necessary one, at present,
but wouldn't it be nice if the AV software were a bit more helpful? What
I'm thinking of is a switch which causes the AV package to output more
verbose and machine-parsable information (probably XML-based) detailing
the virus's characteristics. In other words, the AV package *itself* would
tell MailScanner whether it's appropriate to warn the sender.
Is this an impossible dream? The AV business model doesn't exactly encourage
cooperation between the vendors, which would be required to standardise the
format. OTOH, for all I know some packages may already provide this
functionality. I'm a Unix person; up to now, AV scanning has been something
which I regarded wryly from a distance.
More information about the MailScanner
mailing list