procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: netsky virus snagger

2004-02-20 15:20:34
from [Gary Funck] [Permanent Link] 


From: Dallman Ross
Sent: Friday, February 20, 2004 11:18 AM


On Fri, Feb 20, 2004 at 09:37:15AM -0800, Gary Funck wrote:


The way I'm invoking the virus snaggers is from the global
/etc/procmailrc,



NONDEL=TRUE
INCLUDERC=/etc/procmailrcs/virus_scan.rc
#
# If either VIR_A or VIR_B are true, a possible virus
# was seen. Dump it into the virus trap.
#
:0
* $ 1^0 TRUE ?? ^^$VIR_A^^
* $ 1^0 TRUE ?? ^^$VIR_B^^
{ VIRUS_FOUND = TRUE }


Well, in 1.5.0 there are three.  $VIR_A, _B, or _Z.



Yeah, I saw that. <g>

I think those variables will likely proliferate, and suggest a simpler
approach:

VIRUS_FOUND = TRUE if a virus was found.
VIRUS_TYPE = "..." is a string giving the type of virus found. It will
always be set to something descriptive if VIRUS_FOUND is TRUE.


However, you don't need to do the above.  The assignments
in the INCLUDERC are mutually exclusive -- there's only ever
one or none.  So this works:

   :0
   * $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z^^
   { # Virus Snaggers thinks it found a virus }

Even if the tests were not mutually exclusive, the
syntax would still work if we leave off the right-anchor:

   * $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z



Concerning the method that I used for checking the variables,
I just found the scoring method easier to read and understand.
I also found the use of $TRUE in your scripts to be a bit
counter-intuitive.




I'm running ver. 1.4.1a; 28-Jan-04.  And netsky (not mydoom) was
slipping through.


Frankly, this is the first I've heard of NetSky.  You're
mistaken if you think I watch for new viruses on the cutting
edge.  :-)


Dunno, but if you've got the best, simplest procmail virus scanner
out there, there is going to be some pressure for you keep the scanner
up-to-date. Fortunately, most viruses aren't zip-files, so your current
scripts catch a lot of them, without having to be over-specific.


I don't even *get* very many viruses to test my
stuff on.  With MyDoom, I got not-a-one the first five days
that everybody was complaining it was killing their systems.


Yeah, we don't see many either. I guess the folks that have us
in the address book either have a clue, or we're just not in
anyone's address book. <g>



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: varname=| construct broken?, Dallman Ross
Next by Date:  Re: varname=| construct broken?, Bart Schaefer
Previous by Thread:  Re: netsky virus snagger, Dallman Ross
Next by Thread:  varname=| construct broken?, Ian D.
Indexes:  [Date] [Thread] [Top] [All Lists]