| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: volker.tanger at discon.de (Volker Tanger) Subject: antivirus s/w Greetings! On 27 Jan 2004 06:51:55 -0800 merlyn@...nehenge.com (Randal L. Schwartz) wrote: >> Patrick> 1. I'm trying to decide on an AV solution for a campus wide >> n/w. Patrick> I'm basically looking for something that'll respond as >> quick as Patrick> possible to new viruses. I'm currently evaluating >> NAV, and Fprot. Patrick> Any other suggestions/recomendations? > > PLEASE MAKE SURE that it doesn't send email responses. > I'm getting 500 mydoom an hour. I can filter those. > I'm getting 1500 AV-responses an hour. I can't filter those. > AV response email is PART OF THE PROBLEM now, not PART OF THE > SOLUTION. e.g. with Postfix MTA you can use the mime_header_checks filtering quite successful and without response mails. And most times it's effective even without pattern updates... (beware of possible line breaks) main.cf: -------- mime_header_checks = regexp:/etc/postfix/mime_header_checks mime_header_checks: ------------------- ### ----------------------------------------------------------------------- # known viri # /^.*(file)?name="?.*(your_details|your_document|document_all).pif.*\.(bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD Found Sobig.F virus - clean your computer. ### ----------------------------------------------------------------------- # temp. virus blocks # /^.*name="?(doc|message|readme|text|test|document)\.zip"?/i DISCARD Probably found Novarg/MyDoom virus - clean your computer or re-send attachment with different name. ### ----------------------------------------------------------------------- # executables # /^\t(file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD Found executable attachment. Re-send packed in ZIP archive if valid requirement. /^Content-(Type|Disposition):.* (file)?name="?.*\.(bat|asd|chm|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)"?/ DISCARD Found executable attachment - probably virus. Re-send packed in ZIP archive if valid requirement. Bye Volker Tanger ITK-Security
Powered by blists - more mailing lists