Damian Menscher wrote:
On Tue, 22 Nov 2005, Cami wrote:
One thing we know, when outbreaks happen, they `normally` are in
tidal waves. ClamAV already unpacks all attachments for scanning,
if we were to keep a hash for each attachment in a database
and monitor the rate of incoming MD5 hashes, we could detect when
an outbreak has happened.
Ie, if we have an incoming executable/pif/<whatever criteria>
is seen more than 1000 times in the period of 5 minutes, a
quarantine of the mail can take place, or it can be submitted
automatically (provided its under N size, Y file type, etc..)
ClamAV can use the same method DCC uses, and talk to a network
of ClamAV servers (distributed) who's sole responsibility is
to keep track of these MD5 hashes. Hashes expire after 15 minutes
for example. This would allow you to keep millions and millions
of file hashes without having any slowdown in hash lookups.
So I email full-disclosure with calc.exe as an attachment. Thousands of
mailing list subscribers receive the message at about the same time, it
matches your criteria of being a rapidly-spreading executable, and the
calculator gets added to the database. Then regular users running clam
out of cron get their calculators deleted. :)
Like i said, it can be submitted automatically for analysis
which is proactive instead of taking the reactive approach
and waiting for infection to take place and keep taking place
where someone has to submit it manually.
Think outside the box. There are so many possibilities one
can come up with to prevent false positives.
Cami
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
