lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040127180156.524d4731.volker.tanger@discon.de>
From: volker.tanger at discon.de (Volker Tanger)
Subject: antivirus s/w

Greetings!

On 27 Jan 2004 06:51:55 -0800 merlyn@...nehenge.com (Randal L. Schwartz)
wrote:

>> Patrick> 1. I'm trying to decide on an AV solution for a campus wide
>> n/w. Patrick> I'm basically looking for something that'll respond as
>> quick as Patrick> possible to new viruses. I'm currently evaluating
>> NAV, and Fprot. Patrick> Any other suggestions/recomendations?
> 
> PLEASE MAKE SURE that it doesn't send email responses.
> I'm getting 500 mydoom an hour.  I can filter those.
> I'm getting 1500 AV-responses an hour.  I can't filter those.
> AV response email is PART OF THE PROBLEM now, not PART OF THE
> SOLUTION.


e.g. with Postfix MTA you can use the mime_header_checks filtering quite
successful and without response mails. And most times it's effective
even without pattern updates...


(beware of possible line breaks)


main.cf:
--------
mime_header_checks = regexp:/etc/postfix/mime_header_checks



mime_header_checks:
-------------------

### -----------------------------------------------------------------------
# known viri
#
/^.*(file)?name="?.*(your_details|your_document|document_all).pif.*\.(bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD  Found Sobig.F virus - clean your computer.

### -----------------------------------------------------------------------
# temp. virus blocks
#
/^.*name="?(doc|message|readme|text|test|document)\.zip"?/i DISCARD Probably found Novarg/MyDoom virus - clean your computer or re-send attachment with different name.

### -----------------------------------------------------------------------
# executables
#
/^\t(file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD Found executable attachment. Re-send packed in ZIP archive if valid requirement.
/^Content-(Type|Disposition):.* (file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD Found executable attachment - probably virus. Re-send packed in ZIP archive if valid requirement.



Bye

Volker Tanger
ITK-Security


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ