From: Dallman Ross
Sent: Friday, February 20, 2004 11:18 AM
On Fri, Feb 20, 2004 at 09:37:15AM -0800, Gary Funck wrote:
The way I'm invoking the virus snaggers is from the global
/etc/procmailrc,
NONDEL=TRUE
INCLUDERC=/etc/procmailrcs/virus_scan.rc
#
# If either VIR_A or VIR_B are true, a possible virus
# was seen. Dump it into the virus trap.
#
:0
* $ 1^0 TRUE ?? ^^$VIR_A^^
* $ 1^0 TRUE ?? ^^$VIR_B^^
{ VIRUS_FOUND = TRUE }
Well, in 1.5.0 there are three. $VIR_A, _B, or _Z.
Yeah, I saw that. <g>
I think those variables will likely proliferate, and suggest a simpler
approach:
VIRUS_FOUND = TRUE if a virus was found.
VIRUS_TYPE = "..." is a string giving the type of virus found. It will
always be set to something descriptive if VIRUS_FOUND is TRUE.
However, you don't need to do the above. The assignments
in the INCLUDERC are mutually exclusive -- there's only ever
one or none. So this works:
:0
* $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z^^
{ # Virus Snaggers thinks it found a virus }
Even if the tests were not mutually exclusive, the
syntax would still work if we leave off the right-anchor:
* $ TRUE ?? ^^$VIR_A$VIR_B$VIR_Z
Concerning the method that I used for checking the variables,
I just found the scoring method easier to read and understand.
I also found the use of $TRUE in your scripts to be a bit
counter-intuitive.
I'm running ver. 1.4.1a; 28-Jan-04. And netsky (not mydoom) was
slipping through.
Frankly, this is the first I've heard of NetSky. You're
mistaken if you think I watch for new viruses on the cutting
edge. :-)
Dunno, but if you've got the best, simplest procmail virus scanner
out there, there is going to be some pressure for you keep the scanner
up-to-date. Fortunately, most viruses aren't zip-files, so your current
scripts catch a lot of them, without having to be over-specific.
I don't even *get* very many viruses to test my
stuff on. With MyDoom, I got not-a-one the first five days
that everybody was complaining it was killing their systems.
Yeah, we don't see many either. I guess the folks that have us
in the address book either have a clue, or we're just not in
anyone's address book. <g>
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail