procmail
[Top] [All Lists]

Re: puzzled about a regexp

2003-01-13 12:52:30
At 10:29 2003-01-13 -0800, procmail(_at_)deliberate(_dot_)net did say:
On Mon, 13 Jan 2003 01:44:19 +0200, "Nikos K. Kantarakias" wrote:
=> * name[  ]*=.*\.(bat|pif|vb[as]|scr|lnk|com|exe|{[-0-9a-f]+})"?[  ]*$

        Apologies for what may be a stupid question, but I'm a
bit confused as to why you'd be trapping for an "extention" that
is apparently a hexadecimal number. Can you say more about that?

I don't know Nikos' reasoning (nor do I use this receipe), but it is likely that is there to catch M$ CLSID (esp with the curley braces as delimiters). If you have access to an M$ box, run "regedit", and traverse the registry tree to HKEY_CLASSES_ROOT\CLSID\, and you'll see an abundance of them.

Chances are, that's there to protect against some viruses which affect OutBreak (uh, I mean LookOut, no, OutLook, that's it) and OutBreak Express.

        I may be overly paranoid; I use the following string of
potentially "active" extensions to block:
(bat|chm|com|cpl|dll|exe|hlp|hta|jse?|key|lnk|ocx|pif|reg|scr|sh[bs]|vb[se]?|ws[fhe])

some others you're missing:

as[xp]
ba[st]
c(lass|md|om)
j(ava|se?|sp|tmpl)
s(cr|ys)
ws[cfh]


What type of executable is sh[bs]? What is wse (wise installer script - that's source, isn't it?) ?

There's a nice, straightforward attachment filter at:

        <http://www.johncon.com/john/QuarantineAttachments/>

I use a filter excerpted from that for my systemwide (/etc/procmailrc) virus filter.

        One other question: in developing my more complex [using
several variables] virus program test, I ran across problems with
the double quote and I note that you use it "naked" above.

Perhaps you were using the doublequote in a shelled program, such as grep or sed?

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>