Silent virus list, was: Palyh-A virus

Stephen Swaney Steve at swaney.com
Mon May 19 19:43:59 IST 2003


Happy to provide a backup server for the updates files.

Steve
Steve Swanye
steve at swaney.com

On Mon, 2003-05-19 at 14:27, Julian Field wrote:

> At 19:07 19/05/2003, you wrote:
> >Steve Evans wrote:
> >>I agree with moving the silent virus list to a file.  I also think that
> >>file should be updated like the virus scanners IDE's are updated.
> >
> >I would second that.
> >
> >Don't we have several problems to overcome?
> >
> >1/ The silent virus list changes.
> >Solution: do automatic updating.
>
> Who gets to host it? I guess I could.
>
> >1a/ Someone has to maintain the list.
> >Solution: ?
>
> Depends how up to date people want the list to be. If it becomes large then
> we will just ditch sender warnings altogether (which I see as the only
> feasible long-term solution).
>
> >2/ Different virus scanners use different names for viruses.
> >Solution: provide one file per virus scanner?
>
> Eek. Nightmare. Doesn't matter too much if a few sender warnings don't
> happen, I would just have 1 global list that included the most common names
> of each virus.
>
> >3/ Some viruses disguise the name of the sender.
> >Solution: group viruses by the algorithm used to recover the email
> >address of the infected computer's owner.  "Silent" just means there is
> >no such algorithm.  For really old viruses, the algorithm is to use the
> >sender's e-mail address.  For other viruses, it's remove the leading
> >underscore.  (We blocked W32/Magistr.32768 at mm last week; it looked like
> >the virus changed the first letter of the sender's name from an 's' to a
> >'t'.)
>
> Don't think this is worth the bother.
>
> Overall, I think we all need to move to a setup where we do sender warnings
> for people on our site/domain and don't bother informing the rest of the
> world at all. It seems slightly stupid to write a virus that does *not*
> fake the sender address, I'm just slightly surprised that it took so long
> before the virus writers started doing this. It's not exactly hard...
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030519/90820291/attachment.html


More information about the MailScanner mailing list