Re: [Mimedefang] New .zip virus?
On Mon, 26 Jan 2004, Brent J. Nordquist [EMAIL PROTECTED] wrote:
So far the ZIP ones are all between 22640 and 22798 bytes inclusive.
Can someone post a quick example on how to test an attachment's size?
After some archive digging here's what I arrived at, if it's useful to
anyone else. I've tested it with the edge cases for size and it seems to
work fine. This could be tightened further (zip will be 22640-22798, and
the others will only be 22528) but I think this is close enough for an
outbreak. This goes in sub filter after the virus section:
my $virre = qr/\.(pif|scr|exe|cmd|bat|zip)$/;
if (re_match($entity, $virre)) {
my $size = (stat($entity-bodyhandle-path))[7];
if ($size = 22528 $size = 22798) {
$VirusName = 'W32/[EMAIL PROTECTED]';
md_graphdefang_log('virus', $VirusName, $RelayAddr);
# Discard the mail! Notify the administrator.
action_discard();
action_notify_administrator(A known virus ($VirusName) was discovered and
deleted.\nThe relaying machine was $RelayAddr\n);
# But quarantine the message for examination later. Comment
# the next line out if you don't want to bother.
action_quarantine_entire_message(The $VirusName virus was discovered;
message discarded.\n);
return;
}
}
--
Brent J. Nordquist [EMAIL PROTECTED] N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Request for help: Virus-scanner invocation revie w [was Re: New .zipvirus]
I'd like to see it call multiple scanners, if installed. :) I use Central Command's Vexira here (the server version), David, and the flags you use appear to be working fine. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David F. Skoll Sent: Tuesday, January 27, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [Mimedefang] Request for help: Virus-scanner invocation review [was Re: New .zipvirus] On Tue, 27 Jan 2004, Kevin A. McGrail wrote: Add the --mime switch to detect MIME encoded virus's. I'm planning on a 2.40 release soon. Would all virus-scanner owners please review how MD invokes the scanner and suggest improvements? I do not own/use any virus-scanning software, so I rely on you folks to tell me how to invoke it correctly. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] [semi-OT] mailbox cleaning tool?
I just ran the updated clamscan on my /var/spool/mail directory, and came up with several dozen mailboxes that are infected. Anyone know of a command-line tool I could use that would properly lock said spools, scan each message within, delete those with viruses, and then rebuild the spools in standard mbox format? I can probably write such a thing, but it seems such an obvious Perl hack that I'm thinking someone *must* have done it already and I hate reinventing wheels (maybe because mine never seem to be quite round... :-) Ole -- Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing Facility, UMass * www.cs.umass.edu/~olc/pgppubkey.txt for public key [...] Oh, shed thy mercy and thy grace / On those who venture into space. (R. A. Heinlein) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [semi-OT] mailbox cleaning tool?
On Tue, 27 Jan 2004, Ole Craig wrote: I just ran the updated clamscan on my /var/spool/mail directory, and came up with several dozen mailboxes that are infected. Anyone know of a command-line tool I could use that would properly lock said spools, scan each message within, delete those with viruses, and then rebuild the spools in standard mbox format? I can probably write such a thing, but it seems such an obvious Perl hack that I'm thinking someone *must* have done it already and I hate reinventing wheels (maybe because mine never seem to be quite round... :-) Look at the perl manpages for Mail::Box and Mail::Box::Manager. That's what we use for stuff like that. It is pretty simple to use, even if you don't know perl that well. ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems EngineerSoutheastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
In article [EMAIL PROTECTED] you wrote: Make sure you have the settings on to scan through zip files, and you are running freshclam frequently. I'm running the current stable version of ClamAV (0.65) and have freshclam checking for updates several times a day. I was looking through clamav.conf(5) and I see no configuration options which pertain specifically to .zip archives/files. Are you referring to the more generic option StreamSaveToDisk? I have StreamSaveToDisk and the ScanMail option enabled, and clamd appears to have successfully caught one of these viruses for me recently, according to the clamd log file: Tue Jan 27 02:44:48 2004 - /var/spool/MIMEDefang//mdefang-i0R7iimN013306/Work/msg-11120-148.zip: Worm.SCO.A FOUND So it would seem that MD v2.39 and ClamAV (in daemon mode) will catch this new virus. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
Kevin A. McGrail said:
Step 4: Enable MIME Scanning
modify line 2121 in /usr/local/bin/mimedefang.pl to have --mime:
run_virus_scanner($Features{'Virus:NAI'} .
--noboot --mime --secure --allole $path 21, Found);
Regards,
KAM
Should MD 2.40 have this modification in it?
Note: Older versions of uvscan do not appear to support this switch.
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang.sock error
On Mon, 2004-01-26 at 17:47, Mail Administrator wrote: Stephen Smoogen wrote: Could you send the following extra info to the list just so that people can help: At this point, it is back to working. I shutdown sendmail and let it sit for a couple minutes (after Googling and finding a relevant entry in the comp.mail.sendmail archives) and when sendmail restarted it magically started working again. Now, the only question is, Why did it fall down in the first place?. -Loren Magical things like this are usually a sendmail or mimedefang process that didnt clean itself up fast enough. If it happens again, do a ps -auxww and look for any Z or D mimedefang/sendmail processes. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
Quoting [EMAIL PROTECTED]: In article [EMAIL PROTECTED] you wrote: Make sure you have the settings on to scan through zip files, and you are running freshclam frequently. I'm running the current stable version of ClamAV (0.65) and have freshclam checking for updates several times a day. I was looking through clamav.conf(5) and I see no configuration options which pertain specifically to .zip archives/files. Are you referring to the more generic option StreamSaveToDisk? I have StreamSaveToDisk and the ScanMail option enabled, and clamd appears to have successfully caught one of these viruses for me recently, according to the clamd log file: Tue Jan 27 02:44:48 2004 - /var/spool/MIMEDefang//mdefang-i0R7iimN013306/Work/msg-11120-148.zip: Worm.SCO.A FOUND So it would seem that MD v2.39 and ClamAV (in daemon mode) will catch this new virus. Hi All, I'm using ClamAV + MD 2.39 at my Mail Server too, and experiencing some problems with clamd here: in general it works fine, but sometimes it dies with this error in log file: Tue Jan 27 09:58:59 2004 - /var/spool/MIMEDefang/mdefang- i0RGwwJX012136/Work/msg-206-171.zip: Zip module failure. ERROR Here is my clamav.conf: LogFile /var/log/clamav/clamd.log LogFileMaxSize 10M LogTime PidFile /var/spool/MIMEDefang/clamd.pid LocalSocket /var/spool/MIMEDefang/clamd.sock FixStaleSocket MaxConnectionQueueLength 25 StreamSaveToDisk StreamMaxLength 20M MaxThreads 25 MaxDirectoryRecursion 15 FollowDirectorySymlinks FollowFileSymlinks User mailnull AllowSupplementaryGroups ScanMail ScanArchive ScanRAR ArchiveMaxFileSize 20M ArchiveMaxRecursion 5 ArchiveMaxFiles 1500 What might be a problem here? Thank you, Dmitry ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] procmail rule for Novarg
John Hardin, author of the Procmail Sanitizer, just posted the following rule
to the Sanitizer mailing list to catch Novarg. What's needed to translate it
into an MD equivalent? (Another rule after this one does the needed
adminstrative tasks based on the X-Content-Security headers.)
#
# Trap NovArg
# Signature as of 01/26/2004
#
:0
* 1
* 5
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^Content-Type: text/plain;$.*charset=Windows-1252
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip?
| formail -A X-Content-Security: [$HOST] NONOTIFY \
-A X-Content-Security: [$HOST] DISCARD \
-A X-Content-Security: [$HOST] REPORT: Trapped NovArg worm
- http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] procmail rule for Novarg
--On Tuesday, January 27, 2004 10:08 AM -0800 Kenneth Porter [EMAIL PROTECTED] wrote: John Hardin, author of the Procmail Sanitizer, just posted the following rule to the Sanitizer mailing list to catch Novarg. What's needed to translate it into an MD equivalent? (Another rule after this one does the needed adminstrative tasks based on the X-Content-Security headers.) Doh, never mind, I see lots of rules already posted, and should get Clam going anyway. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
David F. Skoll wrote:
Just check if the unzipped file has any .exe, .pif, etc. in it. This
is more reliable and future-proof than testing for a specific size.
Using the Archive::Zip module from CPAN could be an even better idea if
we want to avoid the fork/exec and shell pipeline. I think it should be
as simple as (warning, completely untested):
use Archive::Zip;
my $zip = Archive::Zip-new();
if( $zip-read($entity-bodyhandle-path) == AZ_OK ) {
# It's a valid zip
my @members = $zip-members();
foreach my $member (@members) {
my $size = $member-uncompressedSize();
my $file = $member-fileName();
# Now, test for file extension and/or bad file sizes
}
}
Cheers,
Dave
--
Dave O'Neill [EMAIL PROTECTED]Roaring Penguin Software Inc.
+1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Check extensions beforer virus scan
I am having trouble figuring out how to check for bad extensions BEFORE doing a virus scan (sweep). I am trying to bounce because of a bad extension first to avoid the expense of scanning for viruses. No matter what I try, virus scanning always happens first, anybody doing this? Fred ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Check extensions beforer virus scan
I am doing this, in a roundabout way. I have no anti-virus on the sendmail server. The sendmail server sends all mail to the anti-virus server, which then sends all mail to the Exchange server. Internet -- Sendmail/MIMEDefang -- Norton Antivirus -- Exchange The vast majority of viruses are in .exe/.scr/etc form, which MIMEDefang removes. The few that are not are (mostly) caught by the Norton Antivirus server. Exchange is thus pretty well protected. -Original Message- From: Fred Felgenhauer [mailto:[EMAIL PROTECTED] Subject: [Mimedefang] Check extensions beforer virus scan I am having trouble figuring out how to check for bad extensions BEFORE doing a virus scan (sweep). I am trying to bounce because of ... Fred ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Anyone else having problems with Clamd 0.65?
-Original Message- From: Kelson Vibber [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 11:57 AM To: [EMAIL PROTECTED] Subject: [Mimedefang] Anyone else having problems with Clamd 0.65? I did, primarily with freshclam updates. I doubt however personally yours have anything to do with my problem other than the same version. I had upgraded our squid setup to use more current filtering ala squidGuard, when that change broke freshclam being able to transproxy through it. The error would follow that it could not read MD5 from main.cvd and fail. Some how that corrupted my local .cdv's and then MD went nuts this morning with quarantining SCO due to bad file types. Fortunately, I have another AV system on the workstations that caught the few that slipped in before the attacks on SCO started to get hard. Kayne ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New .zip virus?
Hi all, Could someone please forward me a copy of Rick's original code snippet? I goofed, deleted and purged the message when I wanted to keep it arg! Send it off-channel to [EMAIL PROTECTED] Thanks, Jim On Tue, 27 Jan 2004, Brent J. Nordquist wrote: The only thing that's been holding me back from doing that here, or implementing similar measures (e.g. unzip and see if there's only a .scr or .pif inside), is the fear of a 10 gigabytes of 0's DoS ZIP file. If you have GNU cut, this should be safe: unzip -p $part | cut -b -10 | wc That should kill the unzip once it goes past 100K. Better yet, why not do the equivalent of: unzip -l $part | grep -i $bad_exts Just check if the unzipped file has any .exe, .pif, etc. in it. This is more reliable and future-proof than testing for a specific size. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter virus
Hello,
I'm running mimedefang 2.36 on RedHat and I'm trying to add a filter
rule to remove messages related to the new MyDoom virus. I don't run a
virus scanner on the server right now, I just want to filter based on
the body. Mimedefang is already running and removing the .scr, .pif,
etc attachments, but some come as .zip (and I don't want to filter those).
I added the following rule to the filter() subroutine:
my $recips = join(,,@Recipients);
if ($entity-bodyhandle =~ /The message cannot be represented in 7-bit
ASCII encoding and has been sent as a binary attachment|The message
contains Unicode characters and has been sent as a binary
attachment|Mail transaction failed. Partial message is available/i) {
syslog('warning', attachment $fname of type $ext quarantined -
possible virus [MyDoom]. Sender=$Sender. Recipient=$recips.);
action_change_header(Subject,[VIRUS?] [MyDoom] .$Subject);
}
The message usually has the following body:
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment
The message contains Unicode characters and has been sent as a binary
attachment
Mail transaction failed. Partial message is available
At first, I just wanted to tag the message to see if it was working,
then add:
return action_discard();
once I know that it's catching the correct messages.
I tested by sending a message to myself with a body that should match,
but it did not get tagged. Can anyone tell me what I'm doing wrong?
Thanks,
Mike
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Check extensions beforer virus scan
i noticed that just yesterday when trolling through mimedefang-filter. is there a reason for doing this? that is, having the anti-virus pull apart the entire message and then only feed in each part looking for the infected portion if it found one in filter_begin()? seems like the suggestion below would help make things a bit lighter and a good default...and then you don't rely on the anti-virus program having the ability to pull apart messages, decode them, etc. just curious about the logic behind the default behavior. Bryan On Tue, Jan 27, 2004 at 03:07:55PM -0600, Jim McCullars wrote: In the sample filter, there are two calls to a virus scanner - one in filter_begin() which calls the message_contains_virus function, and another in filter(), which calls the entity_contains_virus function. If you want, you could comment out the call in filter_begin(), and then in filter(), just move the call to check for a virus to below the part that checks for a bad extension. HTH... Jim McCullars ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Request for help: Virus-scanner invocation review [was Re: New .zip virus]
Quoting Mail Administrator [EMAIL PROTECTED]:
David F. Skoll wrote:
On Tue, 27 Jan 2004, Kevin A. McGrail wrote:
Add the --mime switch to detect MIME encoded virus's.
I'm planning on a 2.40 release soon. Would all virus-scanner owners please
review how MD invokes the scanner and suggest improvements? I do not
own/use any virus-scanning software, so I rely on you folks to tell me
how to invoke it correctly.
I think for clamav checks it's better to change command line options for
archived files:
in
sub message_contains_virus_clamav ()
sub entity_contains_virus_clamav ($)
change
run_virus_scanner($Features{'Virus:CLAMAV'} . -r --stdout --disable-summary --
infected ./Work 21);
to
run_virus_scanner($Features{'Virus:CLAMAV'} . -r --stdout --disable-summary --
infected --disable-archive --unzip --unrar --unace --arj --zoo --lha --jar --
tar --deb --tgz ./Work 21);
Of course that requires all these archivers to be installed in the system.
What other people think about that?
Dmitry
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
I was thinking of the Archive Support parameters in clamav.conf We had 3 of these virii slip by the first server, but were caught by a second server with identical setup (i.e. MD 2.39/File-Scan 0.79/ClamAV 0.65) but they had slightly different freshclam update times. We're safe so far, but now we're getting all the virus warning messages from systems that insist on sending a message to the (spoofed) Sender. Roll on AOL insisting on SPF settings on the MX record. Cheers Bill [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: Make sure you have the settings on to scan through zip files, and you are running freshclam frequently. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
In a previous message Dave O'Neill suggested using Archive::Zip
instead of unzip | wc -c which I had proposed. It seemed like a
better idea so I rewrote my filter code as per his suggestion. To use
it you have to install the Archive::Zip Perl module and add the line
use Archive::Zip; to mimedefang-filter. I suppose it could go
anywhere but I added it near the top, and in filter I have
# Check for possible novarg/mydoom virus
if (lc($ext) =~ /(bat|cmd|exe|pif|scr|zip)/) {
my $path = $entity-bodyhandle-path;
my $size = (stat($entity-bodyhandle-path))[7];
if (lc($ext) =~ /zip/ $size 3) {
my $zip = Archive::Zip-new();
if ($zip-read($path) == AZ_OK) {
my @members = $zip-members();
foreach my $member (@members) {
my $file = $member-fileName();
next if lc($file) !~ /(bat|cmd|exe|pif|scr)/;
$size = $member-uncompressedSize();
last if $size = 22528 $size = 22530;
}
}
}
if ($size = 22528 $size = 22530) {
md_graphdefang_log('virus',Novarg/Mydoom $fname);
return action_discard();
} elsif ($size = 22000 $size = 24000) {
action_quarantine($entity, Might be the Novarg/Mydoom virus);
md_graphdefang_log('virus',Novarg/Mydoom $fname $size);
return action_bounce($fname might be a virus - change the name and
resend);
}
}
- rick
On Tue, 27 Jan 2004, Dave O'Neill wrote:
David F. Skoll wrote:
Just check if the unzipped file has any .exe, .pif, etc. in it. This
is more reliable and future-proof than testing for a specific size.
Using the Archive::Zip module from CPAN could be an even better idea if
we want to avoid the fork/exec and shell pipeline. I think it should be
as simple as (warning, completely untested):
use Archive::Zip;
my $zip = Archive::Zip-new();
if( $zip-read($entity-bodyhandle-path) == AZ_OK ) {
# It's a valid zip
my @members = $zip-members();
foreach my $member (@members) {
my $size = $member-uncompressedSize();
my $file = $member-fileName();
# Now, test for file extension and/or bad file sizes
}
}
Cheers,
Dave
--
Dave O'Neill [EMAIL PROTECTED]Roaring Penguin Software Inc.
+1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
On Wed, 28 Jan 2004, Bill Maidment wrote: We're safe so far, but now we're getting all the virus warning messages from systems that insist on sending a message to the (spoofed) Sender. My Bayes database recognizes most virus warning messages as spam by now. :-) Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] procmail rule for Novarg
Whats the point if filescan/clamscan catches it already? Kenneth Porter said: John Hardin, author of the Procmail Sanitizer, just posted the following rule to the Sanitizer mailing list to catch Novarg. What's needed to translate it into an MD equivalent? (Another rule after this one does the needed adminstrative tasks based on the X-Content-Security headers.) -- Luke Computer Science System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
Dave, why not test it out on your server and then post it when you know it works. That...wouldbe...great! -- Luke Computer Science System Administrator Dave O'Neill said: Using the Archive::Zip module from CPAN could be an even better idea if we want to avoid the fork/exec and shell pipeline. I think it should be as simple as (warning, completely untested): code snipped Dave ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Request for help: Virus-scanner invocation review [was Re: New .zip virus]
I'm trying this change now to see if it really makes a difference. But shouldn't clamav be unzipping by default? Bill [EMAIL PROTECTED] wrote: I think for clamav checks it's better to change command line options for archived files: in sub message_contains_virus_clamav () sub entity_contains_virus_clamav ($) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Check extensions beforer virus scan
On Tue, 27 Jan 2004, Kelson Vibber wrote: I think David said the other day that the message has already been pulled apart by MIMEDefang at this point, and message_contains_virus points the virus scanner at the working directory instead of going file by file. This saves a bit of processing because you don't need to reinvoke the virus scanner for each attachment. That just now made me realize that I misspoke when I replied to the original message. I was under the (mistaken) impression that the virus check in filter_begin() would reject a message. It doesn't. It just sets a flag for filter() to check each part. So if he comments out the scan in filter_begin(), the virus check will not be done (by default). Ouch. So I guess the answer is in filter(), just change the order of the virus scan and the bad_ext check, but leave the code in filter_begin() alone. The virus scanner will still get run once, but not twice in the case of a bad extension. Jim McCullars ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter virus
On Tue, 27 Jan 2004, Mike Heller wrote: I'm running mimedefang 2.36 on RedHat and I'm trying to add a filter rule to remove messages related to the new MyDoom virus. I don't run a virus scanner on the server right now, I just want to filter based on the body. Mimedefang is already running and removing the .scr, .pif, etc attachments, but some come as .zip (and I don't want to filter those). Same here. I used the code that Joseph Brennan posted in: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019443.html I saw the thread when I was reading email at home last night, but didn't think much about it (and wondered why Joseph was dealing with it, since he is at a university) since the Symantec site said that the worm skipped addresses ending in edu. Wrong! Jim McCullars ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
Lucas Albers wrote: Dave, why not test it out on your server and then post it when you know it works. That...wouldbe...great! The latest version of Rick's code snippet using Archive::Zip (see http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019491.html) seems to work fine, as long as you use: use Archive::Zip qw( :ERROR_CODES ); instead of just: use Archive::Zip; in your mimedefang-filter file. Otherwise you'll probably see something like: Argument AZ_OK isn't numeric in numeric eq (==) at /etc/mail/mimedefang-filter line 229. in your logfile. I don't know how it affects MIMEDefang's performance, but it should be better than calling the 'unzip' binary, as Archive::Zip doesn't need to fork/exec, and it only needs to read the zip headers, not uncompress the file. Cheers, Dave -- Dave O'Neill [EMAIL PROTECTED]Roaring Penguin Software Inc. +1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Request for help: Virus-scanner invocation review [was Re: New .zip virus]
Quoting Bill Maidment [EMAIL PROTECTED]: I'm trying this change now to see if it really makes a difference. But shouldn't clamav be unzipping by default? It does it by default, but I don't think it does that properly with damaged zip archives. That was the reason I had to switch from using clamd to clamscan. clamd was dying every time scanning damaged zip archive. And builin rar archives support works only with files arrchived with rar 2.0. So, why not use all external archivers to examine all kind of archives? And one more clamscan option I missed last time: --mbox I think it make sense to add that too. Best regards, Dmitry ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Check extensions beforer virus scan
At 02:25 PM 1/27/2004, Jim McCullars wrote: So I guess the answer is in filter(), just change the order of the virus scan and the bad_ext check, but leave the code in filter_begin() alone. Alternatively, remove the calls in filter_begin, then entity_contains_virus out of the if ($FoundVirus) block. On one hand, you do scan each entity individually. On the other, you don't scan anything that you're already deleting. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Check extensions beforer virus scan
On Tue, Jan 27, 2004 at 03:20:12PM -0800, Kelson Vibber wrote: Alternatively, remove the calls in filter_begin, then entity_contains_virus out of the if ($FoundVirus) block. On one hand, you do scan each entity individually. On the other, you don't scan anything that you're already deleting. yeah, since i'm using clamd, there really is no penalty for checking the parts on their own (and only if they pass the other checks). if i was using a non-daemon scanner, i see the benefit of cranking it off in filter_begin() to prevent the overhead of reading the virus definitions, etc for each part in filter(). for clamd, the filter_begin() check just seems to be overhead. thanks for all the feedback...it helped get my head straight. ;-) Bryan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] clamav and $VirusName variable
Hi, I recently installed clamav 0.65 on my machine (in conjunction with File::Scan) and I've noticed that ocassionally clamav is returning that it's found a virus, but $VirusName is empty. any ideas as to why this might be happening? or where to look for this? i'm pretty sure it's running properly on another machine (where i'm not using File::Scan) but i can't find any differences in how i'm calling it in my filter. thanks in advance, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
