procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: netsky virus snagger

2004-02-20 10:46:32
from [Gary Funck] [Permanent Link] 


From: Dallman Ross
Sent: Friday, February 20, 2004 8:52 AM


On Fri, Feb 20, 2004 at 08:02:51AM -0800, Gary Funck wrote:


Generally, Dallman's script catches these, except for the .zip
variants (I'm not a fan of blocking .zip files), but this should catch
most of 'em:




### Netsky virus
:0 B
* ! VIRUS_FOUND ?? ^^TRUE^^


That won't work, assuming you are using $TRUE as I do with
it being a var and not a constant.  You would need

  * $ ! VIRUS_FOUND ?? ^^$TRUE^^


* > 20000
* < 60000

[...]

{ VIRUS_FOUND = TRUE }


Oh, I see, you're not setting a variable but a fixed string.  Okay,
well, that would work above, but you seem to be using this for a
makeshift X-Loop:, only it's only good inside this rc-file while it's
running.  I don't frankly see the point.



The way I'm invoking the virus snaggers is from the global /etc/procmailrc,
and
in this order.

#
# invoke the virus scanner, tell it not to deliver.
#
NONDEL=TRUE
INCLUDERC=/etc/procmailrcs/virus_scan.rc
#
# If either VIR_A or VIR_B are true, a possible virus
# was seen. Dump it into the virus trap.
#
:0
* $ 1^0 TRUE ?? ^^$VIR_A^^
* $ 1^0 TRUE ?? ^^$VIR_B^^
{ VIRUS_FOUND = TRUE }

# Will set VIRUS_FOUND=TRUE if mydoom virus signature found.
INCLUDERC=/etc/procmailrcs/virus_scan_mydoom.rc
# Will set VIRUS_FOUND=TRUE if netsky virus signature found.
INCLUDERC=/etc/procmailrcs/virus_scan_netsky.rc

The first invocation (virus_scan.rc) is your virus snagger.
If it finds something, the other virus scanners will notice
that VIRUS_FOUND is TRUE and return. (Yes, for efficiency's sake,
I should put that test at the top-level.)




You're right that it's a gawdawful mess -- which also makes
it hard to maintain.  In any event, the current version of
Virus Snaggers has no problem stopping the MyDoom work in
ZIP files, without the need to blook ZIPs to do so.


I'm running ver. 1.4.1a; 28-Jan-04.  And netsky (not mydoom) was
slipping through. Requested enhanncement - place the URL for fetching
the virus snagger into a comment, to make it easier to check for the
new one without having to shuffle through procmail posts etc. I'd
also like it better if the script set a single variable (like VIRUS_FOUND)
rather than setting two of them.

I see the latest is ver. 1.5.0; 7-Feb-04 at
http://www.spamless.us/pub/procmail/virussnag.rc
but don't see a check for netsky in there.





_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VirusSnag.rc - modify to clean & pass through, Dallman Ross
Next by Date:  Re: netsky virus snagger, Dallman Ross
Previous by Thread:  Re: netsky virus snagger, Dallman Ross
Next by Thread:  Re: netsky virus snagger, Dallman Ross
Indexes:  [Date] [Thread] [Top] [All Lists]