Hosting Provided By

Re: [Snort-sigs] writing signatures from isolated viruses

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Thu Mar 25 2004 - 20:57:01 EST

On Thu, Mar 25, 2004 at 04:06:26PM -0700, Cory Hollingsworth wrote:
> Virus Wall has an option to quarantine Virus attachments. Sadly the
> option doesn't isolate the entire email message so we lose the header
> information which could tell us where the file came from.
> ...
> I'm wondering if there is a way I could take a virus attachment which I
> know has infected our network and create a signature using that file to
> better isolate infected machines on our network.

Look at your problem again:

#1: You have an existing AV system that you don't like as it corrupts the virus message to such an extent as to make forenics impossible

Fix: get something else. Seriously. I have a barrow to push on the matter: I'm the author of Qmail-Scanner - a content-filter/AV scanner for Qmail. Which I wrote because I was staggered by how bad I found the commercial gateway scanners to be. (Of course I'm biased - but aren't we all? ;-). I'm sure there are some commercial products that do a better job - but I know I don't like what Trend does to messages.

#2: Sometimes viruses get through because Trend aren't quick enough out with pattern files.

Fix: Well, "day zero" viruses will always affect *any* vendor product. The best thing you can do is to run more than one AV over each message (i.e. don't use vendor AV gateways as they'll only support their AV) - as it will *on average* reduce "day zero" outbreaks from many hours to a few hours. Then implement e-mail policies that block certain classes of e-mail - which will also hopefully block a lot of these "day zero" viruses. Then ensure you run nightly scans over your mail stores to clean up any viruses that got in earlier that day.

End result: less virus issues to worry about - not none - but less :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Thu Mar 25 21:17:57 2004

Do you need help?

This message: [ Message body ]
Next message: Sean Wheeler: "[Snort-sigs] Does rules 2159 make sense ?"
Previous message: pieter claassen: "Re: [Snort-sigs] writing signatures from isolated viruses"
In reply to: Cory Hollingsworth: "[Snort-sigs] writing signatures from isolated viruses"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:39 EDT