[Mimedefang] Re: Mimedefang 2.7 + FileScan -> False alarms

tatooin tatooin at kelkoo.com
Mon Apr 15 12:00:06 EDT 2002 

Finally, I found out a workaround.

In message_contains_virus_filescan(), I've replaced 

###
if ($virus || $scanner->suspicious) {
            # Found a virus or suspicious file, so
            # status of remaining files is moot
            closedir(DIRHANDLE);
            return (wantarray ? (1, 'virus', 'quarantine') : 1);
}
###

by:

###
if ($virus) {
            # Found a virus, so
            # status of remaining files is moot
            closedir(DIRHANDLE);
            return (wantarray ? (1, 'virus', 'quarantine') : 1);
} elsif if ($scanner->suspicious) {
            # Found a suspicious file, so
            # status of remaining files is moot
            closedir(DIRHANDLE);
            return (wantarray ? (0, 'suspicious', 'ok') : 0);
}
###

So that In mimedefang-filter, I can do something like:

###
        if ($category eq "virus") {
        action_quarantine_entire_message();
        action_bounce("A Virus was found in your message. Email
rejected.");
        action_notify_sender("$KnownVirusFound");
        } elsif ($category eq "suspicious") {
        action_notify_sender("Email accepted, but was suspicious."); }
###

Does this looks like Ok ? Or am I just breaking everything ?

Also, in there any way in mimedefang-filter, to retrieve the content of
$VirusScannerMessages, so that we can inform the sender of the name of
the virus we found in his mail ?

Thanks !

Regards,
Vincent Jaussaud.

On Mon, 2002-04-15 at 16:30, tatooin wrote:
> Hi, 
> 
> I've just upgraded to MIMEDefang 2.7, with File Scan support.
> 
> I noticed one problem. If an attachement is tagged as "suspicious" by
> File::Scan, then the mail will be rejected. However, it seems that a lot
> of these attachements are completly clean (at least, that's what NAV
> with latest signatures says)
> 
> Is there any simple way in Mimedefang to let emails tagged as
> "suspicious" to pass through ? (a simple warning should be enough)
> 
> I noticed that such wrong alarms often occurs on M$ documents.
> 
> Thanks in advance.
> 
> Regards,
> 
> -- 
> #######################################################################
> Vincent Jaussaud - Security Manager / Networks & Systems Administration
> Phone: +33 (0)4 76 29 71 63
> GSM: +33 (0)6 80 64 09 62
> AIM Nick: portsentry
> Email: Vincent.Jaussaud at kelkoo.com
> #######################################################################
> 
-- 
#######################################################################
Kelkoo.com: Security Manager / Networks & Systems Administration
Phone: +33 (0)4 76 29 71 63
GSM: +33 (0)6 80 64 09 62
AIM Nick: portsentry / Email: Vincent.Jaussaud at kelkoo.com
#######################################################################

###

More information about the MIMEDefang mailing list