[Mimedefang] Missing virus name in bounce/discard messages

Tony Nugent tony at linuxworks.com.au
Fri Aug 22 21:45:01 EDT 2003 

On Fri Aug 22 2003 at 15:37, Jason Englander wrote:

> On Fri, 22 Aug 2003, Jon R. Kibler wrote:
> 
> > Why do we not always see the virus name in the message? We are running
> > the latest rev of McAfee AV for Unix.
> 
> The regex that gets the virus name from uvscan in mimedefang.pl (as it is
> in MD 2.36) catches ones like this:
> 
> Found: EICAR test file NOT a virus.
> Found the W32/Sobig.f at MM virus !!!
> 
> ...but not ones like this:
> 
> Found the JS/Loop trojan !!!
> Found virus or variant JS/Fortnight.gen at M !!!
> Found virus or variant Unsafe Script !!!
> Found trojan or variant New UNIX-b !!!
>
> Replacing the blurb in mimedefang.pl that gets the virus name (should be
> line 2165 or so) with something like this seems to do the trick:
> 
> 	if ($CurrentVirusScannerMessage =~ m/Found: EICAR test file/) {
> 	    $VirusName = "EICAR-Test"
> 	}
> 	elsif ($CurrentVirusScannerMessage =~ m/Found (.*) \!\!\!$/) {
> 	    $VirusName = $1;
> 	    $VirusName =~ s/^the //;
> 	    $VirusName =~ s/ virus$//;
> 	}
> 	else { $VirusName = "Unknown"; }
> 
> I'm running this as of right now, I'll re-post an update if any slip through.
> If someone sees this and comes up with some uber one liner that'll do the
> same thing, let me know :-)

I've been using this for a long time with uvscan, and it has rarely
failed:

  my($NaiVirusName) = short_virus_name_nai($VirusScannerMessages);
[...]

# this is specific for uvscan
sub short_virus_name_nai($) {
  my($virname) = @_;
  $virname =~ s/.*?(Found .*?) !!!.*$/$1/s;
  if    ($virname =~ /Found the .*? virus/)    { $virname =~ s/Found the (.*?) virus.*/$1/; }
  elsif ($virname =~ /Found virus or variant/) { $virname =~ s/Found virus or variant (.*?)/$1/; }
  elsif ($virname =~ /Found the .*? trojan/)   { $virname =~ s/Found the (.*?) trojan/$1/; }
  return $virname;
}

(apologies for my coding style:)

Hmm... my code doesn't specifically take into eicar into account, I
might modify it for handling that - although it still works to give
a sensible name.  It could also be smarter about the output for when
it finds "mime exploits" (rare), although it handles that ok too.
In any case, if a specific name isn't found, the result isn't empty
but a modified $VirusScannerMessage (at least to some degree).

> I scanned 370 virus/worm/trojan samples that I have with uvscan and I didn't
> see any that wouldn't match with the updated code.  The output from every one
> of them ended in " !!!" except for EICAR.

That has been my experience too.

>   Jason

Cheers
Tony

More information about the MIMEDefang mailing list