Re: zero-hour protection

Lars Roland wrote:
> On 11/22/05, sj@xxxxxxxxxx <sj@xxxxxxxxxx> wrote:
> > I would like to know whether you plan to extend clamav with a "zero-hour"
> > like signatureless virus detection. Some info about the idea can be found
> > here: http://www.commtouch.com/site/OEM/zero_hour.asp
>
> I am sorry but I fail to see what we could ever use this for also I
> have serious doubt about there claim that they are "proactively
> scanning the Internet " - they gotta have access to a hole lot of
> servers in order to do this.
>
> We could perhaps extend clam with certain heuristics allowing clam
> users to report suspicious code at a early stage for examination - but
> one problem with scanning heuristics is that they often rely one
> information gathered while researching the internals of a virus and
> thus if these characteristics are made public available virus writers
> will try to work around them.

There are other vectors to cover instead of taking the heuristics
route.

One thing we know, when outbreaks happen, they `normally` are in
tidal waves. ClamAV already unpacks all attachments for scanning,
if we were to keep a hash for each attachment in a database
and monitor the rate of incoming MD5 hashes, we could detect when
an outbreak has happened.

Ie, if we have an incoming executable/pif/<whatever criteria>
is seen more than 1000 times in the period of 5 minutes, a
quarantine of the mail can take place, or it can be submitted
automatically (provided its under N size, Y file type, etc..)

ClamAV can use the same method DCC uses, and talk to a network
of ClamAV servers (distributed) who's sole responsibility is
to keep track of these MD5 hashes. Hashes expire after 15 minutes
for example. This would allow you to keep millions and millions
of file hashes without having any slowdown in hash lookups.

Cami
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html