The simplest, most reliable thing for Mcafee would probably be for Declude to
understand the /BADLIST file. It would be a Mcafee specific enhancement, but
would be easier to parse.
Another option would be multiple REPORT lines ideally with regular expression
support.
But to suit my needs, all I'd really like is an option to attach the report
file to the notification as well. Maybe with a simple "search and replace"
conversion of the Declude file names with the true attachment names. Even
just a "conversion table" as a separate attachment would be fine with me.
Jerry
----- Original Message -----
From: "Gary K. Cuppett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 23, 2001 8:53 PM
Subject: [Declude.Virus] Investigative Reporting???
> Declude Virus 1.16b
> McAfee Scanner
>
> ... on a test system I un-mimed about 150 virused
> e-mails, scanned them and discovered a pattern.
> Given the selected output below, the only reliable
> setting you should use in your config file is
> "REPORT Found" (without the quotes).
>
> Found the W32/Navidad trojan !!!
> Found the W97M/Thus.gen virus !!!
> Found virus or variant W97M/Thus.gen !!!
> Found: EICAR test file NOT a virus.
>
> Note: There may be other variations on what
> gets logged in the McAfee report file that I've
> not encountered yet.
>
> You should not use "REPORT Found:" -or-
> "REPORT Found: " ... they will not match the
> string returned when encountering real viruses ...
> they ONLY match the EICAR test.
>
> The string returned in %VIRUSNAME%, for each
> example above, would then be:
>
> the W32/Navidad trojan !!!
> the W97M/Thus.gen virus !!!
> virus or variant W97M/Thus.gen !!!
> : EICAR test file NOT a virus.
>
> Not particularly pretty so what I did was
> change my EML files to accomodate the McAfee
> retoric, something like:
>
> Your e-mail was scanned and the scanner reported:
> Found%VIRUSNAME%
>
> In this way, I've inserted the word "Found" back
> into the McAfee sentence so it at least looks right.
>
> Declude.exe --could-- isolate just the virus name
> itself but I suspect that would be a --LOT!-- of work
> for Scott.
>
> Anyway, %VIRUSNAME% seems to be working perfectly now.
>
>
> While testing I noticed the %VIRUSFILE% variable remains broken.
> It appears, in the McAfee report file, that the file name
> is always in the line preceeding the "Found" line and
> is the last thing on the line after the last backslash(\)
> character.
>
>
> [ This E-mail came from the Declude.Virus mailing list. To ]
> [ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
> [ type "unsubscribe Declude.Virus yourname". You can E-mail ]
> [ [EMAIL PROTECTED] for assistance. You can visit our web ]
> [ site at http://www.declude.com . ]
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail ]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
