bagle-i worm

Support ePaxsys/FRWS support at EPAXSYS.NET
Tue Mar 2 18:27:24 GMT 2004


Hey folks

Would not an addition to the filename.rules.conf rules to adjust for
allowed size ranges also help in this situation?
If the Virus.ZIP file was say under 100k (and maybe check for PW protection
if possible) they could be blocked instead of blocking ALL Zips. Sure its
an interim fix as the Virus writers would just make them bigger or do
something different - but it would give us all another weapon to use to
slow this stuff down and not stop legitimate mail (our goal after all!)
while the AV writers come up with a solution.

Thoughts?

We are blocking Zips under 200k with the word 'password:' in them using
procmail right now, and it is effective. Not elegant, not perfect, but its
a decent interim solution.

Jerome


At 12:26 PM 3/2/04 -0600, Marco Obaid wrote:
>Quoting Dan Newcombe <Newcombe at MORDOR.CLAYTON.EDU>:
>
> > Is Sophos supposed to be able to identify the password-protected zip file
> > or just the virus that's in the file itself?
>
>I believe that it attempts to scan the entire file;
>
>MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe  Infection:
>W32/Bagle.E at mm
>MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle-
>E:: ./i226Mcwt003303/eaaead.zip
>
> > Just can't win - instead of setting up an ftp server for
> > once-in-a-blue-moon files needed from off site, we asked people to just
> > send a pw-protected ZIP file, and now those are on the evil list.
>
>Can't you just temporarily white list their server's IP address to skip the
>the virus checks? I would not attempt to whitelist their domain since these
>worms are skilled at spoofing the sender's address.
>
>
>Marco

ePaxsys/FRWS Technical Staff
ePaxsys, Inc. http://www.epaxsys.net
FRWS: http://www.frws.com
Live Text Support: http://www.epaxsys.net/live-help



More information about the MailScanner mailing list