On Tue, 22 Nov 2005, Cami wrote:
One thing we know, when outbreaks happen, they `normally` are in tidal waves. ClamAV already unpacks all attachments for scanning, if we were to keep a hash for each attachment in a database and monitor the rate of incoming MD5 hashes, we could detect when an outbreak has happened. Ie, if we have an incoming executable/pif/<whatever criteria> is seen more than 1000 times in the period of 5 minutes, a quarantine of the mail can take place, or it can be submitted automatically (provided its under N size, Y file type, etc..) ClamAV can use the same method DCC uses, and talk to a network of ClamAV servers (distributed) who's sole responsibility is to keep track of these MD5 hashes. Hashes expire after 15 minutes for example. This would allow you to keep millions and millions of file hashes without having any slowdown in hash lookups.
So I email full-disclosure with calc.exe as an attachment. Thousands of mailing list subscribers receive the message at about the same time, it matches your criteria of being a rapidly-spreading executable, and the calculator gets added to the database. Then regular users running clam out of cron get their calculators deleted. :)
Damian Menscher -- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(650)253-2757 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
