Selectively quarantining on virus name

Peter Peters P.G.M.Peters at utwente.nl
Fri Aug 22 09:04:40 IST 2003


On Fri, 22 Aug 2003 01:07:55 +0100, you wrote:

>I agree with Mike's thinking (as usual!), but ISTM parsing the output of
>an AV package to find the virus name, and then consulting a list which must
>be kept up to date separately, is a kludge.  A necessary one, at present,
>but wouldn't it be nice if the AV software were a bit more helpful?  What
>I'm thinking of is a switch which causes the AV package to output more
>verbose and machine-parsable information (probably XML-based) detailing
>the virus's characteristics.  In other words, the AV package *itself* would
>tell MailScanner whether it's appropriate to warn the sender.
>
>Is this an impossible dream?  The AV business model doesn't exactly encourage
>cooperation between the vendors, which would be required to standardise the
>format.  OTOH, for all I know some packages may already provide this
>functionality.  I'm a Unix person; up to now, AV scanning has been something
>which I regarded wryly from a distance.

You will have the AV vendors rewrite their software to make that
distinction. The most misdirected viruswarnings come from software of
those (big) AV vendors. This shows they don't mind. They probably see it
as a way to advertise their software.

Julian, could you emphasis about the "silent" feature on TF-CSIRT in
Amsterdam? I am trying to get some forces to work in putting pressure on
those AV vendors in stopping their spam (as I see it).

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ



More information about the MailScanner mailing list