On Saturday 28 June 2003 12:47 am, Fluke wrote: > On Sat, 28 Jun 2003, Antony Stone wrote: > > That does seem like a good idea. An obvious way to do it might be to > > have a specific (short) string of characters as the start or end of the > > virus name which classifies it in this way? > > > > As you say, providing this information as part of the signature and not > > needing a separate list seems like a good move. > > Providing the start and end strings of a virus is still does provide > enough to do anything except produce a useless mangled file. If a virus > replaces part of an exe's init code with a jump instruction to the end of > the exec where the the init code has been moved to and the virus code > added, just removing the beginning and ending of the virus code just > invalidates the jump instruction. To get back to having a runnable > program, the jump instruction needs replaced back with the init code that > was originally there. > > Rather than bloat the database with begin/end strings, I would prefer > there was a field in the database to specify an optional innoculation > program.
I do not think this sort of "inoculation" is a good idea. For any given file attachment, if it contains a virus/worm, it should be discarded. The only remaining question is whether the entire rest of the email should also be discarded or not. The days of removing a virus from part of a file and regarding the remainder of the file as valid / useful / trusted are gone, IMHO. Regards, Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ [EMAIL PROTECTED] 5? !X- !R K--? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
