[pmmail-list] SirCam Virus Filtering Update
Kris Sorem Sr
pmmail-list@blueprintsoftwareworks.com
Fri, 03 Aug 2001 00:37:55 -0700 (PDT)
On Thu, 02 Aug 2001 16:31:29 -0500 (CDT), Maynard wrote:
>The first of these alone should do it, if you want the filter at the
>top of the filter sequence and you don't want to burden the system with
>excessive unnecessary processing. The other two will help prevent any
>false-positives, but since lower case d in Date: field is out of spec,
>it certainly isn't frequently used.
>
>header.-s="date: "
Will produce false positives for SirCam worm infected message and would
miss some SirCam infected messages. It may be unconventional but it is
not contained in any profile of SirCam worm offered by antivirus
companies.
>&message.size>"134000"
Will produce false positives for messages greater than 130k but less
than 134k. Footprint of SirCam worm is 137216 bytes. This is the
minimum that should be checked.
>&attachment.name="$header.subject$"
Valid. Fits SirCam profile. However, if first two checks fail,
attachment name is never checked.
--
JMO,
/s/~Kris
-------------------------------+------------------------------------------
- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com