I agree completely.
I use the postmaster notification only, so only internal
notifications happen. I use the FORGINGVIRUS statements to limit what we
have to see.
Recently, we had a single "macro virus" type issue, and
that was where a HTML based Microsoft Word document used a document template
that was referenced as a URL. F-Prot flagged that as a potential
vulnerability and our postmaster account was duly notified. After vetting
the attachmeent, the message was internally re-queued for the
user.
I can barely remember the incident before that.
The notifications always turn out to be flagging a new
worm.
Andrew.
Regarding the names, this is why I would recommend that people
completely abandon any form of postmaster and sender bounce messages for
detected viruses...it's just too much to keep up with without creating
backscatter, and most won't bother to keep up with it regardless because they
don't know how to or don't pay attention to such things.
Just like
Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions
directly about why things no longer worked so that users could be tested for
their worthiness of continuing to use the functionality), I think that it
would be good for the community at large if postmaster.eml and sender.eml were
changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also
promoting the idea of abandoning this functionality.
I have seen
statistics from one of the AV companies showing that macro viruses accounted
for less than 1% of all such viruses detected if I recall the exact percentage
properly. From the perspective of E-mail, I believe the only messages
that are end-user initiated that should be detected by our scanners are macro
and hoax viruses. These are very rare, probably far less than 1% of what
is blocked by E-mail systems since macro viruses don't mass mail. I
think it's safe therefore to assume that even if a virus wasn't forged (some
use the infected computer's user instead of a random or predefined one), that
it wasn't user initiated and avoid notifying them for fear of creating
backscatter.
Matt
Colbeck, Andrew wrote:
A kapser was detected on my F-Prot based system today.
I'm attaching the output of the scan from virustotal.com for your
interest.
I also scanned it with my TrendMicro which detects it by a different
name:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG
REW%2EA
You might add:
FORGINGVIRUS KAPSER
FORGINGVIRUS GREW
FORGINGVIRUS WORM
To your virus.cfg to cover the various naming conventions in the various
engines, particularly that last one.
I'll submit the virus to Symantec if someone could point me to the right
way to do that; they're the only big name that doesn't detect this
malware.
Andrew.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer
Sent: Monday, January 16, 2006 12:42 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] New Virus?
I think this started happening after I updated my F-prot
virus defs to 16th.
Does anyone else see this?
Mark Reimer
IT Project Manager
American CareSource
214-596-2464
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer
Sent: Monday, January 16, 2006 12:32 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] New Virus?
I saw an entry in my virus log to day for [EMAIL PROTECTED]
Has anyone else seen this? I cannot find any information on it.
Mark Reimer
IT Project Manager
American CareSource
214-596-2464
---
[This E-mail has been scanned for viruses]
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail has been scanned for viruses]
---
[This E-mail has been scanned for viruses]
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
![](gifi83MOW57iX.gif)
|