F-prot update

[Dan Hollis]

On Sat, 6 Mar 2004, Julian Field wrote:
> At 19:12 05/03/2004, you wrote:
> >On Fri, 5 Mar 2004, Julian Field wrote:
> > > At 13:27 05/03/2004, you wrote:
> > > >I guess the f-prot update will mean more changes to MailScanner
> > > I'm not going to rush out a new release for that, as MailScanner now
> > > performs filename checks on the contents of Zip files anyway, even if they
> > > are password-protected.
> > > So it doesn't really give you very much extra value when used within
> > > MailScanner.
> >f-prot doesnt actually unzip the file and check it, it just adds new
> >heuristics for filename size and extension.
> >It would be nice if mailscanner could deal with password protected
> >archives by extracting the password from the mail body...
> That's a natural language parsing problem, which is incredibly difficult to
> do with any reliability.

Except that all the known viruses so far use known static phrases. Theres
a limit to how much phrases could be 'randomized' before they become
incomprehensible to the intended target.

Parsing static phrases for passwords would be useful right now, and for
the short term future. Various virus filtering software does it already
(mailscanner alas is one that does not). No, it isnt perfect forever but
that doesnt make it completely useless or even impractical.

-Dan