[Mimedefang] Virus statistics (was: One that the default filter missed...)

Michael D. Sofka sofkam at rpi.edu
Fri May 24 13:56:31 EDT 2002


At 10:35 AM 5/24/2002 -0400, Michael D. Sofka wrote:
>Based on the data I've collected, I would recommend: reject all .exe, .com,
>.pif, .bat, .scr and .lnk extensions, and all application/mixed, audio/x-midi
>and audio/x-wav types.  That will take care of 98% of viruses with very
>few false positives.  If people need to share executables, tell them about
>ftp, http, smb, p2p, etc.

I have had a query about sharing my filter rules.  They can be found
at http://www.rpi.edu/~sofkam/mds/  There, one will find my mimedefang
filter, and a script, mimedstats.pl, which prints a summary of what
MIMEDefang + Sophos + Sendmail did.  I print stats once a day,
and have at various times produced monthly summaries.  I have also
placed a copy of the report I prepared based on a few weeks of data
gathering (viruses.pdf).  This was written just as Klez was starting to
take off.  The data would be considerably skewed now towards blocking
more, and not less.

[I would like to insert at this time, that there are known inefficiencies
in the mimedefang.ujposta filter.  I've seen many clever postings to
mimedefang-l, and wish to thank you all in advance for the ideas I'm
going to steal.  Of course the biggest inefficiency is everything is
scanned, even if heuristics would reject it.  This is to gather data.]

But, THEY ARE NOT A FILTER EMBODYING THE ABOVE ADVICE. 
As I said in the original message, we are running Sophos and I've
been gathering statistics comparing Sophos to heuristics.  The purpose
of this was to be able to justify the expense of a Sophos license.  If our
request had been turned down, then I would be using these data to
write (and, more importantly, justify) a filter which embodied the rules.

A second caveat, the statistics I've seen are so far stable, but that
might very well change with the next wide-spread virus.  They may
also be place dependent.  I am interested in what other schools,
businesses, non-profits, etc. find vis-a-vis virus scanning.  It is important
to report both what was caught, and to the extent possible what would
have been missed.   I needed to see what Sophos added
to heuristic checks, and I also wanted to see where Sophos failed.
Heuristics are good for catching many new viruses.  But, they will
miss a virus called "clickhere.exe" distributed with a good story
about why you should be idiotic enough to "click here."

Finally, you will note this is MIMEDefang 2.3.  Since upgrading will
require a new compile of sendmail, and a noticeable mail outage while
the new libraries are installed, I've not upgraded.  We have some
new machine in house, and I will be upgrading then.

I'm still waiting to read how CitiBank handles 1.5 million emails a day...

Mike

--
Michael Sofka                          sofkam at rpi.edu
CCT Sr. Systems Programmer  email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.    http://www.rpi.edu/~sofkam/




More information about the MIMEDefang mailing list