[Snort-sigs] writing signatures from isolated viruses

Jason Haar Jason.Haar at ...651...
Thu Mar 25 17:58:01 EST 2004


On Thu, Mar 25, 2004 at 04:06:26PM -0700, Cory Hollingsworth wrote:
> Virus Wall has an option to quarantine Virus attachments.  Sadly the
> option doesn't isolate the entire email message so we lose the header
> information which could tell us where the file came from.
> ...
> I'm wondering if there is a way I could take a virus attachment which I
> know has infected our network and create a signature using that file to
> better isolate infected machines on our network.

Look at your problem again:

#1: You have an existing AV system that you don't like as it corrupts the
virus message to such an extent as to make forenics impossible

Fix: get something else. Seriously. I have a barrow to push on the matter:
I'm the author of Qmail-Scanner - a content-filter/AV scanner for Qmail.
Which I wrote because I was staggered by how bad I found the commercial
gateway scanners to be. (Of course I'm biased - but aren't we all? ;-). I'm
sure there are some commercial products that do a better job - but I know I
don't like what Trend does to messages.

#2: Sometimes viruses get through because Trend aren't quick enough out with
pattern files.

Fix: Well, "day zero" viruses will always affect *any* vendor product. The
best thing you can do is to run more than one AV over each message (i.e.
don't use vendor AV gateways as they'll only support their AV) - as it will
*on average* reduce "day zero" outbreaks from many hours to a few hours.
Then implement e-mail policies that block certain classes of e-mail - which
will also hopefully block a lot of these "day zero" viruses. Then ensure you
run nightly scans over your mail stores to clean up any viruses that got in
earlier that day.

End result: less virus issues to worry about - not none - but less :-)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list