Jason Englander wrote:
> I agree with you about keeping a virus scanner updated, but I don't
> think MD should abandon those older versions. A client of mine still
> uses one without --mime. I could see adding a new global variable
> like $NAIUseMime that could be defined in your filter, then hav
On Tue, 27 Jan 2004, Kevin A. McGrail wrote:
> In regards to McAfee and NAV, we always recommend replacing the engine and
> the defs whenever a new version is available. I don't disagree that people
> might be running older engine files but doing so is a risky proposition in
> our opinion.
I agr
Hi David,
Yes, it's the [EMAIL PROTECTED] worm (that just rolls off the tongue, doesn't
it? :)
Symantec report here:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
The zip is a 22 Kb archive that includes a single file, the worm itself. The
zip file is delivered using
> It's actually the definitions a virus scanner has, rather than the
> utilities that use them, that normally matter. Someone may be using an
> older version of a commandline tool that doesn't support certain options
> but it may (assuming the tool <-> library/definitions api is stable
enough)
> be
On Tue, Jan 27, 2004 at 12:42:58PM -0500, Kevin A. McGrail wrote:
> > > " --noboot --mime --secure --allole $path 2>&1", "Found");"
>
> > Should MD 2.40 have this modification in it?
> > Note: Older versions of uvscan do not appear to support this switch.
>
> Absolutely! What's the point of runn
Lucas Albers wrote:
Dave,
why not test it out on your server and then post it when you know it works.
That...wouldbe...great!
The latest version of Rick's code snippet using Archive::Zip (see
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019491.html)
seems to work fine, as
Dave,
why not test it out on your server and then post it when you know it works.
That...wouldbe...great!
-- Luke Computer Science System Administrator
Dave O'Neill said:
> Using the Archive::Zip module from CPAN could be an even better idea if
> we want to avoid the fork/exec and shell pipeli
On Wed, 28 Jan 2004, Bill Maidment wrote:
> We're safe
> so far, but now we're getting all the virus warning messages from
> systems that insist on sending a message to the (spoofed) Sender.
My Bayes database recognizes most virus warning messages as spam by now. :-)
Regards,
David.
___
In a previous message Dave O'Neill suggested using Archive::Zip
instead of "unzip | wc -c" which I had proposed. It seemed like a
better idea so I rewrote my filter code as per his suggestion. To use
it you have to install the Archive::Zip Perl module and add the line
"use Archive::Zip;" to mimedef
I was thinking of the Archive Support parameters in clamav.conf
We had 3 of these virii slip by the first server, but were caught by a
second server with identical setup (i.e. MD 2.39/File-Scan 0.79/ClamAV
0.65) but they had slightly different freshclam update times. We're safe
so far, but now
Hi all,
Could someone please forward me a copy of Rick's original code snippet? I
goofed, deleted and purged the message when I wanted to keep it !
Send it off-channel to [EMAIL PROTECTED]
Thanks,
Jim
> On Tue, 27 Jan 2004, Brent J. Nordquist wrote:
>
> > The only thing that's been holding m
David F. Skoll wrote:
Just check if the unzipped file has any .exe, .pif, etc. in it. This
is more reliable and future-proof than testing for a specific size.
Using the Archive::Zip module from CPAN could be an even better idea if
we want to avoid the fork/exec and shell pipeline. I think it sh
On Tue, 27 Jan 2004, Brent J. Nordquist wrote:
> The only thing that's been holding me back from doing that here, or
> implementing similar measures (e.g. unzip and see if there's only a .scr
> or .pif inside), is the fear of a "10 gigabytes of 0's" DoS ZIP file.
If you have GNU cut, this should
Good point. I've just changed my code to
my $size = (stat($entity->bodyhandle->path))[7];
if (lc($ext) =~ /zip/ && $size < 3) {
my $test = `/bin/unzip -p $path | wc -c`;
$size = $test if $test =~ /^\s*\d+\s*$/;
}
- rick
On Tue, 27 Jan 2004, Bre
On Tue, 27 Jan 2004, Rick Mallett <[EMAIL PROTECTED]> wrote:
> It uses "unzip | wc -c" to check the file size and only discards if it
> is in a smaller size range (22528-22530)
The only thing that's been holding me back from doing that here, or
implementing similar measures (e.g. unzip and see if
Here is a small variation on the code posted by Brent.
It uses "unzip | wc -c" to check the file size and only discards if it
is in a smaller size range (22528-22530), and bounces othersise.
Actually, the unzip'ed files are all 22528 so it could just check for
that size. This just reduces the chan
> > " --noboot --mime --secure --allole $path 2>&1", "Found");"
> Should MD 2.40 have this modification in it?
> Note: Older versions of uvscan do not appear to support this switch.
Absolutely! What's the point of running an outdated virus scanner? It's
pointless therefore supporting anything b
Quoting [EMAIL PROTECTED]:
> In article <[EMAIL PROTECTED]> you wrote:
> > Make sure you have the settings on to scan through zip files, and you
> > are running freshclam frequently.
>
> I'm running the current stable version of ClamAV (0.65) and have
> freshclam checking for updates several time
Kevin A. McGrail said:
> "Step 4: Enable MIME Scanning
> modify line 2121 in /usr/local/bin/mimedefang.pl to have --mime:
> run_virus_scanner($Features{'Virus:NAI'} .
> " --noboot --mime --secure --allole $path 2>&1", "Found");"
>
> Regards,
> KAM
Should MD 2.40 have this modification in i
In article <[EMAIL PROTECTED]> you wrote:
> Make sure you have the settings on to scan through zip files, and you
> are running freshclam frequently.
I'm running the current stable version of ClamAV (0.65) and have
freshclam checking for updates several times a day. I was looking
through clamav.
; arguments etc ) to do this.
>
> Im a perl newbie so please be kind :-)
>
> Regards
> Kevin
If you check mimedefang.pl then you'll find where you should add the
--unzip option (two places). Pity to have to do this, but otherwise
it won't get detected in its zip form b
On Mon, 26 Jan 2004, Brent J. Nordquist <[EMAIL PROTECTED]> wrote:
> So far the ZIP ones are all between 22640 and 22798 bytes inclusive.
> Can someone post a quick example on how to test an attachment's size?
After some archive digging here's what I arrived at, if it's useful to
anyone else.
On Tue Jan 27 2004 at 07:15, "Kevin A. McGrail" wrote:
> A) I believe you have to modify the source code
> B) the code already uses the --secure command line which will unzip files.
Ahh, so it does, missed that. So there is no need to add the
--unzip option (I added --mime long ago). Thanks.
>
A) I believe you have to modify the source code
B) the code already uses the --secure command line which will unzip files.
C) I recommend the following step which is relevant because it's also how I
know how to change the uvscan command line:
"Step 4: Enable MIME Scanning
If you didn't modify mim
04 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Mimedefang] New .zip virus?
>
> Make sure you have the settings on to scan through zip files, and you
> are running freshclam frequently.
>
> Elders Real Estate Ballina wrote:
>
> >
> > I just had one in my Inbox a
H...
Maybe it wasn't really a .zip but ".zip__" or something. I'll be
interested in your finding.
Cheers
Bill
Elders Real Estate Ballina wrote:
I'll have a closer look later to see if there's something I've
missed.. I thought MD died but after checking the log , MD passed it
through.
Freshclam has been updating regularly. ( latest definitions ) MD & ClamAV
had been successfully blocking attachments ..
I had one slip through which I thought was odd. I would have thought MD
would of blocked the .zip as it's set in the config to block all
zips. First time I've had MD fail
Make sure you have the settings on to scan through zip files, and you
are running freshclam frequently.
Elders Real Estate Ballina wrote:
I just had one in my Inbox as well...except mine was body.zip. It
wasn't blocked or detected by clam av & mimedefang.
What would cause the file to drop t
I just had one in my Inbox as well...except mine was body.zip. It wasn't
blocked or detected by clam av & mimedefang.
What would cause the file to drop through the filter/scanner?
Regards
Mat
At 09:33 PM 26/01/2004 -0500, you wrote:
>Got a test msg coming through with a zip file attach
ClamAV now recognises Worm.SCO.A and Trojan.SCO.A
I've not seen a new File-Scan yet
So there are at least 2 variants...
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.c
They really shouldn't call it the SCO worm, as people would confuse it
with Darl
Sorry, just had to.
Tim
ClamAV is picking it up as the Worm.SCO.A virus
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTEC
On Mon, 26 Jan 2004, Joseph Brennan <[EMAIL PROTECTED]> wrote:
> This is based on reports at Symantec and another site.
>
> if ($fname =~ /(document|readme|doc|text|file|data|test|message|body)/i
Helpful, but I'm also seeing some here named eblpdw.zip (random garbage).
So far the ZIP ones
>Got a test msg coming through with a zip file attached 'body.zip'
>(in fact, second one for the day). Norton Antivirus calls it
>[EMAIL PROTECTED] They don't have a whole lot of info on it yet, except
>to label it a level 4 threat:
I just got one in my personal box with the zip file con
This is based on reports at Symantec and another site.
in sub filter ()
# Novarg virus
if ($fname =~ /(document|readme|doc|text|file|data|test|message|body)/i
&&
$ext =~ /(bat|cmd|exe|pif|scr|zip)/ ) {
md_graphdefang_log('virus',"Novarg-Midoom $fname $type");
retur
Hi
ClamAV is picking it up as the Worm.SCO.A virus
Cheers
Bill
Ashley M. Kirchner wrote:
David F. Skoll wrote:
I'm seeing bounces from messages I supposedly sent containing a .zip
file.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDe
David F. Skoll wrote:
I'm seeing bounces from messages I supposedly sent containing a .zip file.
I think there's a new .zip virus out there. Watch out; the default filter
will not catch these.
Got a test msg coming through with a zip file attached 'body.zip'
(in fact, second one for the day).
At 04:57 PM 1/26/2004, David F. Skoll wrote:
I'm seeing bounces from messages I supposedly sent containing a .zip file.
I think there's a new .zip virus out there. Watch out; the default filter
will not catch these.
Yes: http://news.com.com/2100-7349_3-5147605.html
Apparently it's called MyDoom,
David F. Skoll wrote:
Hi,
I'm seeing bounces from messages I supposedly sent containing a .zip file.
I think there's a new .zip virus out there. Watch out; the default filter
will not catch these.
I just received it as well, however SA (2.63) labeled it as Spam. I
opened the .zip file put the
38 matches
Mail list logo