[Mimedefang] not catching test viruses
Cormack, Ken
kcormack at acs.roadway.com
Tue Jan 20 16:08:52 EST 2004
I havent looked yet at the mimedefang-filter code (been busy this afternoon
with other fires), but does MD pass the header to a virus-scanner? Or just
the body and attachments? That at least might give a scanner a chance to
spot something.
-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com]On Behalf Of David
F. Skoll
Sent: Tuesday, January 20, 2004 3:57 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] not catching test viruses
On Tue, 20 Jan 2004, Kevin A. McGrail wrote:
> It might be of interest that using Symantec Anti-Virus for SMTP and NO
> Mimedefang missed the following tests to my knowledge though it's much
> harder because Symantec does a receive and modify rather than a block on
> emails. It's very possible some of these were "defanged" but it's very
> difficult for me to ascertain.
I think some of the AV tests are pretty ridiculous, especially the MS
Outlook bug test.
At some point, you have to give up trying to duplicate all kinds of
weird and wonderful bugs in desktop software on the server, and just
get the desktop people to upgrade or switch.
It's possible to write a polymorphic virus with no constant signature
longer than a couple of bytes, or possibly even a single byte,
depending on how creative you can get with x86 assembly programming.
We'll eventually see virus-writing toolkits that make these
"signature-less" viruses easy to create, and then what?
Regards,
David.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list