[Mimedefang] Missing virus name in bounce/discard messages
Jason Englander
jason at englanders.cc
Fri Aug 22 17:07:00 EDT 2003
On Fri, 22 Aug 2003, Jon R. Kibler wrote:
> Why do we not always see the virus name in the message? We are running
> the latest rev of McAfee AV for Unix.
The regex that gets the virus name from uvscan in mimedefang.pl (as it is
in MD 2.36) catches ones like this:
Found: EICAR test file NOT a virus.
Found the W32/Sobig.f at MM virus !!!
...but not ones like this:
Found the JS/Loop trojan !!!
Found virus or variant JS/Fortnight.gen at M !!!
Found virus or variant Unsafe Script !!!
Found trojan or variant New UNIX-b !!!
Replacing the blurb in mimedefang.pl that gets the virus name (should be
line 2165 or so) with something like this seems to do the trick:
if ($CurrentVirusScannerMessage =~ m/Found: EICAR test file/) {
$VirusName = "EICAR-Test"
}
elsif ($CurrentVirusScannerMessage =~ m/Found (.*) \!\!\!$/) {
$VirusName = $1;
$VirusName =~ s/^the //;
$VirusName =~ s/ virus$//;
}
else { $VirusName = "Unknown"; }
I'm running this as of right now, I'll re-post an update if any slip through.
If someone sees this and comes up with some uber one liner that'll do the
same thing, let me know :-)
I scanned 370 virus/worm/trojan samples that I have with uvscan and I didn't
see any that wouldn't match with the updated code. The output from every one
of them ended in " !!!" except for EICAR.
Jason
--
Jason Englander <jason at englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
More information about the MIMEDefang
mailing list