Re: [Qmail-scanner-general]Blocking Sobig without notifing the sender

Salvatore Toribio Wed, 27 Aug 2003 16:35:59 +0000

I might be a little insane but how does this not already work? If I turn on debugging for my qmail-scanner instalation I get this: .....

27/08/2003 11:44:57:14859: p_s: checking movie0045.pif against perlscanner database... 27/08/2003 11:44:57:14859: p_s: file movie0045.pif is lowercased to movie0045.pif and has extension .pif 27/08/2003 11:44:57:14859: p_s: compare movie0045.pif against perlscanner database 27/08/2003 11:44:57:14859: p_s: finished scan of dir "/var/spool/qmailscan/mail.highspd.net106199909751314859" in 0.003628 secs

.......

27/08/2003 11:44:57:14859: trophie: starting scan of directory "/var/spool/qmailscan/mail.highspd.net106199909751314859"... 27/08/2003 11:44:57:14859: There be a virus! (WORM_SOBIG.F.DAM) 27/08/2003 11:44:57:14859: trophie: finished scan of dir "/var/spool/qmailscan/mail.highspd.net106199909751314859" in 0.00697 secs

Obviously you can use your antivirus scanner (trophie) to stop the virus. The scanner is a pretty load for the cpu, so you can block some attachments that only could be a virus with the list in the file quarantine-attachments.txt for example:

.hta    0       HTA files not allowed per Company security policy
.lnk    0       LNK files not allowed per Company security policy
.pif    0       PIF files not allowed per Company security policy
.scr    0       SCR files not allowed per Company security policy
.vbs    0       VBS files not allowed per Company security policy
.wsh    0       WSH files not allowed per Company security policy
.bat    0       COMMAND.COM batch file not allowed per Company security policy
.com    0       COM not allowed per Company security policy

This is a little bit faster than using an antivirus scanner, but in this case the pif files with sobig will be notified to the faked sender, and this is no good (at least for me).

To avoid this you would add the lines with the attachmet from sobig to the list. If you wish this is only cosmetic.

In the other hand, this will stop a new virus before your antivirus add it to its library. But...

Salvatore


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Re: [Qmail-scanner-general]Blocking Sobig without notifing the sender

Reply via email to