On Wed, Feb 25, 2004 at 10:02:55AM -0500, Bob George wrote:
Dallman Ross <dman(_at_)nomotek(_dot_)com> wrote:
Me, I can't understand what all the hullaballo is about, since I
don't know of a virus that wouldn't be an encoded attachment of some
kind (possibly uuencode, if not MIME); and if you're looking at
attachments already, then you're 5/6 there.
There's no reason these approaches can't be used in complimentary
fashion. Use the fast and efficient procmail rules for first-level
screening of well-known patterns, clamav/bitdefender and other viable
anti-virus scanners for heuristic and advanced scanning/detection,
Yes, thanks, Bob. This is essentially what I was going to answer
Robert Allerstorfer with in his question about my Virus Snaggers. I
plan to continue to maintain the plug-in. And to continue improving
it. But I don't know that I plan to hunt, ever-vigilantly, for newer,
wider-ranging, several-hundred-byte 7-bit viral-signature regexes that
are ever-mutating. That was never really the goal or the point of Virus
Snaggers. It is the goal and the point of clams(d)?scan, however; which
is why I'd do just what you said: run what one easily *can* run inside
procmail, and then, on an as-needed basis, fork out to a sturdier
tool for a specific job.
In short, my plug-in can easily stop whatever extension-types one
wishes to stop. But blocking all ZIPs is not a baby-with-the-
bathwater solution; and identifying just which ZIPs contain
viruses and which don't is difficult to do with satisfactory
accuracy in a procmail-only solution. That seems a no-brainer.
What I *will* do soon (maybe today or tomorrow) with VS is have it spit
out a variable if there's an attachment at all. That way, one can run
VS, and on non-virus-tagged output that are attachments one can next run
clamscan or whatever.
Dallman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail