Regarding the names, this is why I would recommend that people
completely abandon any form of postmaster and sender bounce messages
for detected viruses...it's just too much to keep up with without
creating backscatter, and most won't bother to keep up with it
regardless because they don't know how to or don't pay attention to
such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest.I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew.-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. |
- [Declude.Virus] New Virus? Mark Reimer
- RE: [Declude.Virus] New Vir... Mark Reimer
- RE: [Declude.Virus] New Vir... Colbeck, Andrew
- RE: [Declude.Virus] New Vir... Colbeck, Andrew
- RE: [Declude.Virus] New... Markus Gufler
- Re: [Declude.Virus] New... Matt
- RE: [Declude.Virus] New Vir... Colbeck, Andrew
- Re: [Declude.Virus] New... Matt
- RE: [Declude.Virus] New... Markus Gufler
- RE: [Declude.Virus]... Mark Reimer
- RE: [Declude.Virus] New Vir... Colbeck, Andrew
- RE: [Declude.Virus] New Vir... Colbeck, Andrew
- [Declude.Virus] New Virus? John T \(Lists\)
- RE: [Declude.Virus] New... John T \(Lists\)
- [Declude.Virus] new virus? Karen Mitchell
- RE: [Declude.Virus] new... Panda Consulting S.A. Luis Alberto Arango