Silent virus list, was: Palyh-A virus

[Julian Field]

At 19:07 19/05/2003, you wrote:
>Steve Evans wrote:
>>I agree with moving the silent virus list to a file.  I also think that
>>file should be updated like the virus scanners IDE's are updated.
>
>I would second that.
>
>Don't we have several problems to overcome?
>
>1/ The silent virus list changes.
>Solution: do automatic updating.

Who gets to host it? I guess I could.

>1a/ Someone has to maintain the list.
>Solution: ?

Depends how up to date people want the list to be. If it becomes large then
we will just ditch sender warnings altogether (which I see as the only
feasible long-term solution).

>2/ Different virus scanners use different names for viruses.
>Solution: provide one file per virus scanner?

Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
happen, I would just have 1 global list that included the most common names
of each virus.

>3/ Some viruses disguise the name of the sender.
>Solution: group viruses by the algorithm used to recover the email
>address of the infected computer's owner.  "Silent" just means there is
>no such algorithm.  For really old viruses, the algorithm is to use the
>sender's e-mail address.  For other viruses, it's remove the leading
>underscore.  (We blocked W32/Magistr.32768 at mm last week; it looked like
>the virus changed the first letter of the sender's name from an 's' to a
>'t'.)

Don't think this is worth the bother.

Overall, I think we all need to move to a setup where we do sender warnings
for people on our site/domain and don't bother informing the rest of the
world at all. It seems slightly stupid to write a virus that does *not*
fake the sender address, I'm just slightly surprised that it took so long
before the virus writers started doing this. It's not exactly hard...
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support