[pmmail-list] SirCam Virus Filtering Update

Kris Sorem Sr pmmail-list@blueprintsoftwareworks.com
Sat, 04 Aug 2001 13:44:40 -0700 (PDT)


On Fri, 03 Aug 2001 06:34:57 -0700, Dian Welle wrote:

>I'll tell you what, I receive the worm 7-10 times each day, and this
>simple filter has caught it 100% of the time for me, and never gotten a
>false pos.... yet. 

I am curious to know how you can make this statement. Have you checked
_every_ message this filter _does not_ catch? If it were this simple,
the anti-virus experts would have included it in their profiles. Maybe
you should send them your suggestion. 

Your simple filter does nothing more than check a message with an
attachment for an uncapitalized header date. Any message with an
attachment having an uncapitalized header date will be filtered whether
it is a w32.sircam worm message or not. I can prove this to you by
sending a message to you that _will be_ filtered but is not a
w32.sircam message. That would be a false positive. Should I? I have
been using ICSL filtering since its initial release with PMMail. Part
of my job is to protect customers' systems. I have been doing this type
of work for 27yrs. I offered a filter to this list that would as
accurately as possible catch a w32.sircam message. While you use this
simple filter, you will remain vulnerable to any w32.sircam message
that has a capitalized header date and you _could_ filter messages that
are _not_ w32.sircam messages.
--
JMO, 
/s/~Kris
-------------------------------+------------------------------------------



- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com