F-prot update

[Julian Field]

At 11:48 06/03/2004, you wrote:
>On Sat, 6 Mar 2004, Julian Field wrote:
> > At 19:12 05/03/2004, you wrote:
> > >On Fri, 5 Mar 2004, Julian Field wrote:
> > > > At 13:27 05/03/2004, you wrote:
> > > > >I guess the f-prot update will mean more changes to MailScanner
> > > > I'm not going to rush out a new release for that, as MailScanner now
> > > > performs filename checks on the contents of Zip files anyway, even
> if they
> > > > are password-protected.
> > > > So it doesn't really give you very much extra value when used within
> > > > MailScanner.
> > >f-prot doesnt actually unzip the file and check it, it just adds new
> > >heuristics for filename size and extension.
> > >It would be nice if mailscanner could deal with password protected
> > >archives by extracting the password from the mail body...
> > That's a natural language parsing problem, which is incredibly difficult to
> > do with any reliability.
>
>Except that all the known viruses so far use known static phrases. Theres
>a limit to how much phrases could be 'randomized' before they become
>incomprehensible to the intended target.
>
>Parsing static phrases for passwords would be useful right now, and for
>the short term future. Various virus filtering software does it already
>(mailscanner alas is one that does not). No, it isnt perfect forever but
>that doesnt make it completely useless or even impractical.

The problem is that the virus writers can produced a hundred different
strings every day. You have to start using an engine like SpamAssassin to
try to find them, wherever you can have hundreds of rules and give each
word a probability of being the password. Big problem.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654