Full Disclosure mailing list archives
RE: Getting the lead out of broken virus / worm email meta-reporting
From: "Clairmont, Jan M" <jan.m.clairmont () citigroup com>
Date: Tue, 3 Aug 2004 11:40:19 -0400
How fast is fast? The time it takes an av, spyware or firewall company to react to a real-time threat. I think there is going to have to be a pooling of anti-virus, mail sweeping and firewall protection knowledge. There should be a central policy that can be reported and distributed to the various vendors and clients that autoupdates the protecting software. Simply a crisis-mail-alert with appropriate information for translation into a protecting shield that updates all av, mail and firewall utilities. Has anyone written or read a spec. on standardizing worm, virus or other alerts with not just there's a'sploit, but a method of reporting the 'sploit or adware, malware in a way that the vendors and clients could instantly counter with a new filter or fix? Information such as. Such as the Virus, Malware, Spam type. Then filtering fingerprint, Associated dll update, or where to get it from approved vendor lists. etc. etc. Time of discovery, Place, Description of malicious effect etc. Does anyone have any ideas on this? Is there an RFP on this particular subject of universal alerts with fix etc. etc? Because the time consuming list watching is just not standardized. What vendor and when it comes time to update is a matter of when they get around to it. By that time the cows are out of the barn and we are like the volunteer fire department, foundation savers. By the time everyone gets out of bed, rushes to the firehouse and gets to the scene there is nothing left but a foundation to save. A Universal Internet Security Alert system with fix, signature etc. should be implemented, when one finds the fix they would be obligated to put the fix into an alert database that all vendors could use. It would be non-vendor specific and universal to all updates. Any other thoughts would be welcome. Part of the problem I see would be how to secure the reporting itself. It would have to be through a specific Agency, with signature and encryption that is fairly fool proof and secure. A centralized database that can then be created and then an alert issued where everyone can go and get the fix, signature or whatever and automated. Right now every vendor has its own. Thoughts, Jan Clairmont Firewall Administrator/Consultant -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Todd Towles Sent: Tuesday, August 03, 2004 9:53 AM To: 'Denis McMahon'; 'fd' Subject: RE: [Full-disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner I have seen this type of e-mail on my yahoo account at home. I just guessed it was a corrupt e-mail put out by some e-mail virus circling the internet. It wouldn't by the first time or the last. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Denis McMahon Sent: Tuesday, August 03, 2004 6:39 AM To: fd Subject: [Full-disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner Hmm I've had a couple of suspicious emails this week with headers, blank line, a line of text, mime headers. Thunderbird doesn't see the mime attachment due to the broken headers, which is good, but nor does the grisoft email proxy scanner, which is bad, especially as I guess that certain broken applications (no I don't have outlook [express] on my system) might try and be snart and find the attachment. This might be broken malware sending unusable stuff out, but my worry is that somene may have found a technique that will sneak an attachment past some a-v scanners in a "broken" format that certain popular email apps will try and fix, possibly putting active malware on the hard disk. I tried to talk to grisoft about this, but all I get back is "you have to pay to talk to us cheapskate" ... whilst I can agree that they might not want to provide tech support to users of their free scanner, does anyone have an email address at grisoft for submitting suspicious items that have got past their proxy scanner? Denis _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Getting the lead out of broken virus / worm email meta-reporting Clairmont, Jan M (Aug 03)
- Re: Getting the lead out of broken virus / worm email meta-reporting Thomas Reidy (Aug 03)
- RE: Getting the lead out of broken virus / worm email meta-reporting Todd Towles (Aug 03)
- Re: Getting the lead out of broken virus / worm email meta-reporting The Central Scroutinizer (Aug 03)
- Re: Getting the lead out of broken virus / worm email meta-reporting Thomas Reidy (Aug 03)