[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <B99D046F7F16A34EA7926E14DD82F5A114CCDD@exchny28.ny.ssmb.com>
From: jan.m.clairmont at citigroup.com (Clairmont, Jan M)
Subject: Getting the lead out of broken virus / worm email meta-reporting
How fast is fast? The time it takes an av, spyware or firewall
company to react to a real-time threat. I think there is going
to have to be a pooling of anti-virus, mail sweeping and firewall
protection knowledge. There should be a central policy that
can be reported and distributed to the various vendors and
clients that autoupdates the protecting software. Simply a
crisis-mail-alert with appropriate information for translation into a protecting shield that updates all av, mail and firewall
utilities.
Has anyone written or read a spec. on standardizing worm, virus
or other alerts with not just there's a'sploit, but a method of
reporting the 'sploit or adware, malware in a way that the
vendors and clients could instantly counter with a new filter or
fix?
Information such as.
Such as the Virus, Malware, Spam type.
Then filtering fingerprint,
Associated dll update, or where to get it from approved vendor lists.
etc.
etc. Time of discovery, Place,
Description of malicious effect etc.
Does anyone have any ideas on this? Is there an RFP on this
particular subject of universal alerts with fix etc. etc?
Because the time consuming list watching is just not standardized.
What vendor and when it comes time to update is a matter of
when they get around to it. By that time the cows are out of the
barn and we are like the volunteer fire department, foundation
savers. By the time everyone gets out of bed, rushes to the firehouse and gets to the scene there is nothing left but a foundation to save.
A Universal Internet Security Alert system with fix, signature etc. should be implemented, when one finds the fix they would be obligated to put the fix into an alert database that all vendors could use. It would be non-vendor specific and universal to all updates.
Any other thoughts would be welcome.
Part of the problem I see would be how to secure the reporting itself. It would have to be through a specific Agency,
with signature and encryption that is fairly fool proof and secure.
A centralized database that can then be created and then an
alert issued where everyone can go and get the fix, signature or
whatever and automated. Right now every vendor has its own.
Thoughts,
Jan Clairmont
Firewall Administrator/Consultant
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Todd Towles
Sent: Tuesday, August 03, 2004 9:53 AM
To: 'Denis McMahon'; 'fd'
Subject: RE: [Full-Disclosure] broken virus / worm email has attachment
not found by grisoft proxy scanner
I have seen this type of e-mail on my yahoo account at home. I just guessed
it was a corrupt e-mail put out by some e-mail virus circling the internet.
It wouldn't by the first time or the last.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Denis McMahon
Sent: Tuesday, August 03, 2004 6:39 AM
To: fd
Subject: [Full-Disclosure] broken virus / worm email has attachment not
found by grisoft proxy scanner
Hmm
I've had a couple of suspicious emails this week with headers, blank
line, a line of text, mime headers.
Thunderbird doesn't see the mime attachment due to the broken headers,
which is good, but nor does the grisoft email proxy scanner, which is
bad, especially as I guess that certain broken applications (no I don't
have outlook [express] on my system) might try and be snart and find the
attachment.
This might be broken malware sending unusable stuff out, but my worry is
that somene may have found a technique that will sneak an attachment
past some a-v scanners in a "broken" format that certain popular email
apps will try and fix, possibly putting active malware on the hard disk.
I tried to talk to grisoft about this, but all I get back is "you have
to pay to talk to us cheapskate" ... whilst I can agree that they might
not want to provide tech support to users of their free scanner, does
anyone have an email address at grisoft for submitting suspicious items
that have got past their proxy scanner?
Denis
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists