[pmmail-list] SirCam Virus Filtering Update

[Kris Sorem Sr]

On Sat, 04 Aug 2001 17:25:40 -0500 (CDT), Maynard wrote:

>Don't get so bent on this, Kris; and don't take it personally.

It seems my reply has been taken the wrong way. I'm not bent nor do I
have any personal investment. Every user on this list is free to use
any filter they choose or none at all. My systems and those of my
clients are unaffected by any such decision. The purpose of my reply
was to clarify that use of the simple filter will still leave you
vulnerable rather than claims made here to the contrary.

>The fact that the AV community doesn't recognize the non-compliant
>"date: " string header is not relevant.

I believe it to be relevant. If this criteria were consistent across
all w32.sircam messages, it would be included in the profile in the
same manner as are the body text lines. It being missing does indicate
this criteria to be an unreliable identifier. The AV community serves a
useful purpose by reducing time consuming analysis and generally has a
greater database to analyze.

>While your ICSL filter catches all the body text and everything else
>which is thought to be "defining" of SirCam at this time, it is
>probably a whole not more CPU and time intensive than those more simple
>filters in use by those of us who don't mind a possible "false
>positive".

The simple filter posted here, parses the header of _every_ received
message for the uncapitalized date. Only if it matches does it check
for an attachment. To reduce CPU usage this should be reversed. How a
filter is written is equally important as what the filter contains in
it. I have not experienced any reduction in download time using my
filter. Actually, it is probably less CPU and time intensive. In my
filter, the body of the message is never parsed unless the first three
criteria match. The criteria being message size, existence of an
attachment and attachment name contained in subject. If you wish a more
accurate k.i.s.s. filter that will deliver more bang for the buck, use
the first two checks of my optimised filter. Then again, you could
simply set PMMail to not download any messages greater than 134k and
use no filter. Of course, your mailbox will fill up unless you remotely
delete them.

>May I suggest that you set up the simple "date: " check after you've
>trapped your SirCams, and see if it catches anything.

While it catches some, it does not catch all. I believe the purpose of
a filter is to capture the intended target as accurately as possible
while minimizing any false captures. I would also check the attachment
name for a double extension if ICSL filtering supported wildcard text
pattern matching.

>Everybody is trying to work together here, and nobody is intending to
>offend you.

Again, I'm not offended.

>Folks on this list are appreciative of your contributions, and have
>stated so.

I'm aware of that. Thanks.

>I could just as easily send the SirCam through your filters, but that
>would be _me_, not the worm, initiating the connection. The worm does
>"date: " just as consistently as it does the other stuff.

Please qualify your last statement of 'The worm does "date: " just as
consistently as it does the other stuff.'? On what criteria is this
statement based. Just curiosity, I guess.

For those interested, here is my optimised filter.
---begin filter---
!(m.size<"137216") & a="YES" & a.name="$h.subject$" &
(b="Hi! How are you?" | b="See you later. Thanks" |
b="Hola como estas?" | b="Nos vemos pronto, gracias")
---end filter---
--
JMO, 
/s/~Kris
-------------------------------+------------------------------------------



- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com