Dear hanscees
I wanted to answer you earlier, but I have been busy with other things.
> I thought it would block all exes. I added
> ghost.exe (dos exe), but it did not stop anything.
It does not block all exe files as such, but blocks patterns that represent executable code, it so happens that many (most) exe files match the code (as you would expect they should do).
> What would be a good test?
Any type of file that matches one of the patterns.
Win2000 C:/WINNT/explorer.exe gets blocked
> I take it that the most dangerous things are added in the database?
Not the most dangerous as such (although they are) but patterns of files that have been used by virus writers, whatever type of file they are; exe, bat, gif, scr, zip (v1). The file type is not recognised but the pattern is. Virus writers will masquerade the exe file as a gif for example.
I'd say the most commonly known about patterns are in the default database. I'm seeing a few more "new" patterns appearing in viruses.
> Tip to find the magic of a file: send it by email > and watch the email as raw.
You can also see it in the Message Source of email messages, which I think is the same as you are suggesting.
Alternatively if you have clamav installed as a backup virus scanner (which is still recommended) then any viruses that are not identified by pattern matching will be (hopefully) detected by clamav and end up in the /var/spool/amavis-ng/quarantined folder. Look at the *.msg file to see the "patterm magic". Look in the *.log file to see the type of virus that has been detected.
> A question remaining is how exactly the magic is
> checked, will tv00 block tv00aas and so on?
> Or do you need an exact match??
A message will be blocked if a pattern is matched, therefore if your pattern is tv00 then that will block tv00 or tv00aas or tv00aasrrrtyui.
It will not block tv0 as that does not match the minimum pattern. The "trick" is to ensure the pattern is long enough (reduces statistical error dramatically) and truly representative of the virus.
Patterns of 9 characters length give a very high rate of accuracy.
> you block "ttttuuuuvvvv"
> any email with two lines in it like this:
> [empty line]
> ttttuuuuvvvv
> will be blocked. (there has to be an empty line in it.)
That appears to be correct. It is as if the system is detecting that pattern in the message. If you look at messages you will see that that is the srrangement of the code pattern in most messages ie blank line followed by code pattern on the next line.
If you want to send some bits of pattern code in a message just preceed it with any character eg
[blank line]
"TVAAAA
or don't have a blank line in front of it eg
text text text
TVAAAA
> That must be wrong surely! Is that a bug?
No, I think it's a "feature" !!
I'll look at your patterns and that link in more detail later.
Thanks
18 Replies
13133 Views