New service - the Team Cymru Malware Hash Registry!
--[ UxBoD ]--
uxbod at splatnix.net
Tue Oct 28 10:53:19 GMT 2008
Yep kinda agree Alex after reading some more. I thing a SA rule would be well suited, and have mentioned such elsewhere.
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749
----- "Alex Broens" <ms-list at alexb.ch> wrote:
> It has a couple of disadvantages compared to the malware.com.br ClamAV
>
> signatures:
>
>
>
> - The ClamAV signatures include a size field to avoid possible MD5
>
> collisions.
>
>
>
> - The ClamAV sigs don't delay processing and have a small memory
>
> fingerprint.
>
>
>
>
>
> - The lookups to the Cymru site will slow down processing.
>
> (do they have enough iron to hold up to global traffic?)
>
>
>
> - "The Malware Hash Registry (MHR) is free for non-commercial use
> ONLY"
>
> so it should hardly become part of default MS.
>
>
>
> The one big plus is the close to real time detection though its hard
> to
>
> imagine that the stuff it detects doesn't get marked as spam by
> already
>
> existing methods.
>
>
>
> If Jules decides to add this to MailScanner I hope he does it as a
>
> custom function plugin
>
> imo, this does't belong in the main "glue" aka MailScanner.
>
>
>
> I see lots more potential for a SA plugin.
>
>
>
> Alex
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list