[Mimedefang] Missing virus name in bounce/discard messages
Tony Nugent
tony at linuxworks.com.au
Fri Aug 22 21:45:01 EDT 2003
On Fri Aug 22 2003 at 15:37, Jason Englander wrote:
> On Fri, 22 Aug 2003, Jon R. Kibler wrote:
>
> > Why do we not always see the virus name in the message? We are running
> > the latest rev of McAfee AV for Unix.
>
> The regex that gets the virus name from uvscan in mimedefang.pl (as it is
> in MD 2.36) catches ones like this:
>
> Found: EICAR test file NOT a virus.
> Found the W32/Sobig.f at MM virus !!!
>
> ...but not ones like this:
>
> Found the JS/Loop trojan !!!
> Found virus or variant JS/Fortnight.gen at M !!!
> Found virus or variant Unsafe Script !!!
> Found trojan or variant New UNIX-b !!!
>
> Replacing the blurb in mimedefang.pl that gets the virus name (should be
> line 2165 or so) with something like this seems to do the trick:
>
> if ($CurrentVirusScannerMessage =~ m/Found: EICAR test file/) {
> $VirusName = "EICAR-Test"
> }
> elsif ($CurrentVirusScannerMessage =~ m/Found (.*) \!\!\!$/) {
> $VirusName = $1;
> $VirusName =~ s/^the //;
> $VirusName =~ s/ virus$//;
> }
> else { $VirusName = "Unknown"; }
>
> I'm running this as of right now, I'll re-post an update if any slip through.
> If someone sees this and comes up with some uber one liner that'll do the
> same thing, let me know :-)
I've been using this for a long time with uvscan, and it has rarely
failed:
my($NaiVirusName) = short_virus_name_nai($VirusScannerMessages);
[...]
# this is specific for uvscan
sub short_virus_name_nai($) {
my($virname) = @_;
$virname =~ s/.*?(Found .*?) !!!.*$/$1/s;
if ($virname =~ /Found the .*? virus/) { $virname =~ s/Found the (.*?) virus.*/$1/; }
elsif ($virname =~ /Found virus or variant/) { $virname =~ s/Found virus or variant (.*?)/$1/; }
elsif ($virname =~ /Found the .*? trojan/) { $virname =~ s/Found the (.*?) trojan/$1/; }
return $virname;
}
(apologies for my coding style:)
Hmm... my code doesn't specifically take into eicar into account, I
might modify it for handling that - although it still works to give
a sensible name. It could also be smarter about the output for when
it finds "mime exploits" (rare), although it handles that ok too.
In any case, if a specific name isn't found, the result isn't empty
but a modified $VirusScannerMessage (at least to some degree).
> I scanned 370 virus/worm/trojan samples that I have with uvscan and I didn't
> see any that wouldn't match with the updated code. The output from every one
> of them ended in " !!!" except for EICAR.
That has been my experience too.
> Jason
Cheers
Tony
More information about the MIMEDefang
mailing list