[pmmail-list] SirCam Virus Filtering Update
Kris Sorem Sr
pmmail-list@blueprintsoftwareworks.com
Fri, 03 Aug 2001 01:05:24 -0700 (PDT)
On Thu, 02 Aug 2001 18:46:16 -0700, Dave in Phoenix AZ wrote:
>My short filter is
>b="in order to have your advice" & a="YES"
Will produce multiple _false positives_. Not _every_ SirCam worm
infected message will contain the text string you check. This filter
_will_ miss some infected messages. A non-infected message _could_
contain this text string and have an attachment. In addition, this
filter checks the body of every message before checking for an
attachment. If the message doesn't have an attachment, the body doesn't
need to be checked.
>
>Hundrends of hits and only 1 miss so far (I didn't examine it to see why
>just deleted manuaully)
Probably some valid but also some invalid hits. For this filter to
miss, either the message didn't contain the specified text string in
the body of the message or it didn't have an attachment. Even if both
were true, it could still be a non-infected message. Are the hits
greater than 134k in size? Does the subject contain the attachment file
name? Does the attachment have a double file extension?
>
>I also autosend a message to them pointing out the subject is a file on
>their computer with info on the virus and links to sites to help get rid of
>it.
You are probably putting some non-infected users through hoops thinking
they are infected.
--
JMO,
/s/~Kris
-------------------------------+------------------------------------------
- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com