Lucas,
No problem, wish I could have helped more. I am happy that the novarg test
didnt break things...
I have found a better way of doing the same thing.
# Novarg Detection - PWhittney V1.1 2/25/04
#
if (lc($ext) =~ /zip/) {
my $lines = $entity->body();
my $found = 0;
if (scalar( @$lines )) {
# It has lines....
my $line = @$lines[0];
$found = ( ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) ||
($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) );
}
if ($found) {
md_graphdefang_log('virus', "Found NoVarg Virus");
# Change this if you dont want the subject changed:
action_change_header('Subject', '[VIRUS?] ' . $Subject);
action_delete_all_headers('X-Virus-Status');
action_add_header('X-Virus-Status', "Yes, name=NoVarg");
action_drop_with_warning(
"Dropped $fname ($type) containing virus NoVarg."
);
action_quarantine($entity,
"A known virus signature was detected, and removed\n");
return;
}
}
# end of novarg code
I'm trying to see if I can match the netsky virus the same way, but all I can
find is the EXE format, which mimedefang strips out. I'm just trying to avoid
decompressing anything, when I could match the base64 encoding... Currently
looking into Scan.pm to see if I could add parts of a zip to the scanner.
Hope this helps someone, I'm not protecting many email accounts, but the
novarg code found 900 messages this month alone, and I've verified the
data to be the NovArg virus, so all those bounced failure messages didn't
contain the virus... phew.
-Paul
On Thu, Feb 26, 2004 at 11:54:53AM -0800, [EMAIL PROTECTED] wrote:
> Well I figured out that it has nothing to do with the Novarg code. I removed it
> completely and the problem still occurred. However, after increasing the busy
> timeout to 600 on the multiplexor, I have seen no more instances of the
> problem. Thanks for your help, Paul and Michael.
>
> Lucas
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
