Sobig.E Getting Through Intermittently

Julian Field mailscanner at ecs.soton.ac.uk
Fri Jun 27 20:42:54 IST 2003


At 17:47 27/06/2003, you wrote:
> > Hi all!
> >
> > > I think that Ron has a valid point. It makes more sense to solve the
>problem at the root
> > > which is the MailScanner engine, since it has proven to be much better
>than an signature
> > > update from the AV company. That takes 48-72 hours the earliest.
> > >
> > > This level of checking will increase the security that much higher.
> > >
> > > Just thought I'd add my two bits to Ron's e-mail and add it as a feature
>request in
> > > mailscanner.
> >
> > I would vote for this feature too. Maybe this could be done as "dummy"
>virus
> > scanner which just tag mail containing disallowed suffixes (and dig into
>the
> > archive files)?
> >
>
>I think this feature would be usefull, but I think I've already spotted a
>few gotchas.
>This means mailscanner has to extract the archives instead of the virus
>scanner, does this leave it open to all the vulnerabilties with archives
>that we normally trust the virus scanner to avoid ?

There are lots of gotchas. This is not a trivial exercise at all. The virus
scanners go to considerable lengths to do this reliably.

>I think would also need to reference a second list of allowed file types,
>what if you want to let your users recieve a potentially malicious filetype
>eg a .reg file but only when sent in an archive ?
>
>Just my 2c
>
>Uly

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list