Bugtraq mailing list archives
Re: RFC: virus handling
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Thu, 29 Jan 2004 00:11:15 +0100 (MET)
On Wed, 28 Jan 2004, Thomas Zehetbauer wrote:
1.2.1.) Standardization To allow filtering of these messages they should always carry the text 'possible virus found' in the subject optionally extended by the name of the virus or the test conducted (eg. heuristics).
Delivery Status Notification (RFC 1894) has many disadvantages but IMHO it is still better than Yet Another Idiosyncratic Ad-hoc Format.
1.1.2.) Original Message The notification should never include the original message sent as otherwise it may send the worm/virus to a previously unaffected third party or re-infect a system that has already been cleaned.
Notifications, if they are sent at all, should always include at least the headers of the original message. (Anyway, people removing a piece of malware from their computer without taking any steps to prevent future infections (at least reinfections by the same kind of malware) *deserve* to be reinfected.)
3.2.) Disconnect Providers should grant their customers some grace period to clean their infection and should thereafter be disconnected entirely or filtered based on protocol (eg. outgoing SMTP) or content (eg. transparent smarthost with virus scanner) until they testify that they have cleaned their system.
Infected hosts should be blocked/disconnected immediately. A filter set up several hours after the fact (I suppose any reasonable "grace period" would have to be at least several hours long) is pointless because a typical 21st century fast spreading worm has already had enough time to attack everyone in its vicinity. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: RFC: virus handling, (continued)
- Re: RFC: virus handling Patrick Proniewski (Feb 02)
- Re: RFC: virus handling Matthew Dharm (Feb 03)
- Re: RFC: virus handling Ben Wheeler (Feb 04)
- Re: RFC: virus handling Shawn McMahon (Feb 07)
- Re: RFC: virus handling Matthew Dharm (Feb 03)
- Re: RFC: virus handling Patrick Proniewski (Feb 02)
- Re: RFC: virus handling Craig Morrison (Feb 02)
- Re: RFC: virus handling James C. Slora Jr. (Feb 03)
- Re: RFC: virus handling John Fitzgibbon (Feb 02)
- Re: RFC: virus handling Dave Clendenan (Feb 03)
- Re: RFC: virus handling Volker Kuhlmann (Feb 04)
- Re: RFC: virus handling Dave Clendenan (Feb 03)
- Re: RFC: virus handling Daniele Orlandi (Feb 02)
- Re: RFC: virus handling Pavel Kankovsky (Feb 02)
- Re: RFC: virus handling Dave Aronson (Feb 02)
- RE: RFC: virus handling David Brodbeck (Feb 03)
- Re: RFC: virus handling Casper Dik (Feb 04)