Re: [Exim] Generic VBS script detection

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMAlan Thew at <-
MJeffrey Goldberg at ->
Delete this message
Reply to this message
Author: Jeffrey Goldberg
Date:  
To: Nigel Metheringham
CC: Exim
Subject: Re: [Exim] Generic VBS script detection
On Fri, 5 May 2000, Nigel Metheringham wrote:

> Its been suggest to me that we try and restrict this filter to stuff
> that has a chance of matching... 

>    if $h_content-type: contains multipart/mixed

You might also wish to check for $message_size. I have assumed that
anything nasty will take some space.

Also, I have not been checking uuencode stuff at all, and have been sloppy
with the RE in that I don't really care if a quoted filename has a
trailing quote or not, so what I am currently running is

===================================
# Exim filter

logfile /var/spool/exim/log/filter_log 

if (first_delivery and not error_message and $message_size is above 6k)
then
 if ($h_subject: IS ILOVEYOU) then
           freeze  text "Suspected ILOVEYOU virus"
 elif
     $message_body matches
        "\\\\b(?:file)?name=(\"[^\"]+|\\\\S+)\\\\.txt\\\\.vb[se]\\\\b" then
           freeze text "May contain surrupticious VBscript attachment"
 elif
     $message_body matches
        "\\\\b(?:file)?name=(\"[^\"]+|\S+)\\\\.vb[se]\\\\b" then
           freeze text "May contain VBScript attachment"
 endif
endif  
===================================


The obvious cost of the if ... elif ... elif ... endif stuff in the middle
that three conditions are checked for every message that is ok but meets
the outer condition. I don't know the pcre/exim internals to know whether
the first check causes a "study" of the text.

I have tried to set this so that the least expensive conditions are done
first. I will add the header content type condition to the outer
condition.

The problem is that I may wish to freeze on some of these and fail on
others.

A point should be made about a much earlier query about "best" filter.

If you are a small site or a site with staff who will deal with frozen
messages in a reasonable time, then you may wish to freeze messages be
willing to accept some false positives.

If you are a large site, you may wish to fail messages, in which case
false positives are a different concern.

Finally, your acceptence of false positives and false negatives depends on
the portion of Outlook and other vulnerable users you have.

So the question of the "best" filter is highly site dependent.

-j 

-- 
Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
 Cranfield Computer Centre      FAX         751 814
 J.Goldberg@???     http://WWW.Cranfield.ac.uk/public/cc/cc047/
Relativism is the triumph of authority over truth, convention over justice.




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] logwrite in system filterRe: [Exim] LoveBug as HTML attachment->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)