New service - the Team Cymru Malware Hash Registry!
Alex Broens
ms-list at alexb.ch
Tue Oct 28 09:58:34 GMT 2008
On 10/28/2008 10:20 AM, --[ UxBoD ]-- wrote:
> Just had a read and it looks really good. I presume the best bet
> would be to use the DNS lookup method as most firewalls will have DNS
> open ?
It has a couple of disadvantages compared to the malware.com.br ClamAV
signatures:
- The ClamAV signatures include a size field to avoid possible MD5
collisions.
- The ClamAV sigs don't delay processing and have a small memory
fingerprint.
- The lookups to the Cymru site will slow down processing.
(do they have enough iron to hold up to global traffic?)
- "The Malware Hash Registry (MHR) is free for non-commercial use ONLY"
so it should hardly become part of default MS.
The one big plus is the close to real time detection though its hard to
imagine that the stuff it detects doesn't get marked as spam by already
existing methods.
If Jules decides to add this to MailScanner I hope he does it as a
custom function plugin
imo, this does't belong in the main "glue" aka MailScanner.
I see lots more potential for a SA plugin.
Alex
More information about the MailScanner
mailing list