Re: [Exim] the Klez virus

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Marc MERLIN
Date:  
À: Alex Vinogradoff
CC: exim-users
Sujet: Re: [Exim] the Klez virus
On Fri, May 10, 2002 at 09:45:14PM +0300, Alex Vinogradoff wrote:
> Hey folks, stop wasting your time. There will be another Klez modification
> tomorrow,
> and your filter won't recognize it. Install some good antivirus filter and
> close this subject.


I don't want to rehash this, but there are reasons why antivirii aren't the
solution either. They are (AFAIK) reactive, and can't detect a virus
they don't know about yet, so they then fall back to what we do in
system_filter, namely optionally protecting against potentially harmful
attachements (without knowing whether they are infected or not)
Virus scanners also take significantly more time and resources.

So I'll repeat what I posted a few days ago:

----------------------------------------------------------------------------
I've been looking at my existing rules, because as mentionned before, I
don't like this solution: I don't want to get in the business of writing
custom and possibly imperfect filters for each new virus that comes out.

Klez sends:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi;
        name=Custom.s_c_r


If I modify it to say:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi; name=Custom.s_c_r

then it gets blocked by the existing system_filter
I have the flu right now, so I don't think it's the best time for me to mess
with my filter regexes, but it seems that it's only a matter of fixing this:

if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachme
nt);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(
?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|
jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"

I prefer a generic fix a _lot_ better.
----------------------------------------------------------------------------

Unless we are going way beyond what regexes can do (which is what Nigel
suggested IIRC), this braindead approach is preferable in my opinion.

Marc
--
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key