On Fri, Jun 27, 2003, Fluke <[EMAIL PROTECTED]> wrote: > On Sat, 28 Jun 2003, Antony Stone wrote: > > > That does seem like a good idea. An obvious way to do it might be to have a > > specific (short) string of characters as the start or end of the virus name > > which classifies it in this way? > > > > As you say, providing this information as part of the signature and not > > needing a separate list seems like a good move. > > Providing the start and end strings of a virus is still does provide > enough to do anything except produce a useless mangled file. If a virus > replaces part of an exe's init code with a jump instruction to the end of > the exec where the the init code has been moved to and the virus code > added, just removing the beginning and ending of the virus code just > invalidates the jump instruction. To get back to having a runnable > program, the jump instruction needs replaced back with the init code that > was originally there. > > Rather than bloat the database with begin/end strings, I would prefer > there was a field in the database to specify an optional innoculation > program. So, for a Word DOC virus there may be in the database an entry > for another program that does intelligent Word DOC virus removal. That > external program might keep a database that uses begin/end strings or > something else to accomplish removing the virus without garbling the file > format. Likewise, a IFrame exploit innoculator program could be specified > in the database and then it is up to the innoculator program to decide > what additional data files it need to intelligently modify the HTML.
I don't see why an application has to remove the virus, although that what would be nice. Like you said, it is a difficult thing to do. I think just as acceptable would be to drop the infected file and let the rest of the message be delivered, perhaps with a note in it's place. JE --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
