lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040128234822.51B0.0@argo.troja.mff.cuni.cz>
Date: Thu, 29 Jan 2004 00:11:15 +0100 (MET)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: Thomas Zehetbauer <thomasz@...tmaster.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: RFC: virus handling


On Wed, 28 Jan 2004, Thomas Zehetbauer wrote:

> 1.2.1.) Standardization
> To allow filtering of these messages they should always carry the text
> 'possible virus found' in the subject optionally extended by the name of
> the virus or the test conducted (eg. heuristics).

Delivery Status Notification (RFC 1894) has many disadvantages but IMHO it
is still better than Yet Another Idiosyncratic Ad-hoc Format.

> 1.1.2.) Original Message
> The notification should never include the original message sent as
> otherwise it may send the worm/virus to a previously unaffected third
> party or re-infect a system that has already been cleaned.

Notifications, if they are sent at all, should always include at least the
headers of the original message.

(Anyway, people removing a piece of malware from their computer without
taking any steps to prevent future infections (at least reinfections by
the same kind of malware) *deserve* to be reinfected.)

> 3.2.) Disconnect
> Providers should grant their customers some grace period to clean their
> infection and should thereafter be disconnected entirely or filtered
> based on protocol (eg. outgoing SMTP) or content (eg. transparent
> smarthost with virus scanner) until they testify that they have cleaned
> their system.

Infected hosts should be blocked/disconnected immediately. A filter set up
several hours after the fact (I suppose any reasonable "grace period"
would have to be at least several hours long) is pointless because a
typical 21st century fast spreading worm has already had enough time to
attack everyone in its vicinity.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ