procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: netsky virus snagger

2004-02-20 12:28:33
from [Dallman Ross] [Permanent Link] 
On Fri, Feb 20, 2004 at 09:37:15AM -0800, Gary Funck wrote:


The way I'm invoking the virus snaggers is from the global
/etc/procmailrc,



NONDEL=TRUE
INCLUDERC=/etc/procmailrcs/virus_scan.rc
#
# If either VIR_A or VIR_B are true, a possible virus
# was seen. Dump it into the virus trap.
#
:0
* $ 1^0 TRUE ?? ^^$VIR_A^^
* $ 1^0 TRUE ?? ^^$VIR_B^^
{ VIRUS_FOUND = TRUE }


Well, in 1.5.0 there are three.  $VIR_A, _B, or _Z.

However, you don't need to do the above.  The assignments
in the INCLUDERC are mutually exclusive -- there's only ever
one or none.  So this works:

   :0
   * $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z^^
   { # Virus Snaggers thinks it found a virus }

Even if the tests were not mutually exclusive, the
syntax would still work if we leave off the right-anchor:

   * $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z



I'm running ver. 1.4.1a; 28-Jan-04.  And netsky (not mydoom) was
slipping through. 


Frankly, this is the first I've heard of NetSky.  You're
mistaken if you think I watch for new viruses on the cutting
edge.  :-)  I don't even *get* very many viruses to test my
stuff on.  With MyDoom, I got not-a-one the first five days
that everybody was complaining it was killing their systems.
I finally had to ask some local people on my ISP to let me
see some of theirs. :-)  A few days later I'd gotten a couple
dozen of my own, though.

Gary, send me a private mail with a link to one so I can at
least see the thing.  Don't everybody reading this jump on the
bandwagon, please!  I don't need all the helpful emails.  :-)
Just one from Gary will be enough for now.



also like it better if the script set a single variable (like VIRUS_FOUND)
rather than setting two of them.


I don't have any immediate plans for that.  Maybe a future version
would set both alternatively.  But I want to know in my logs which
virus type I found.


I see the latest is ver. 1.5.0; 7-Feb-04 at
http://www.spamless.us/pub/procmail/virussnag.rc
but don't see a check for netsky in there.


See above.  :)

-- 
dman

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: netsky virus snagger, Gary Funck
Next by Date:  varname=| construct broken?, Ian D.
Previous by Thread:  RE: netsky virus snagger, Gary Funck
Next by Thread:  RE: netsky virus snagger, Gary Funck
Indexes:  [Date] [Thread] [Top] [All Lists]