[Mimedefang] uvscan - detecting virus name

Jeremy McCarty jeremy at nd.edu
Tue Jun 10 15:27:01 EDT 2003


Luke,

Thanks.  We do update frequently like you do, but just because you have the
lastest dat (4270) doesn't mean you are protected from latest virii.  For
example, 4270 doesn't include W32/Bugbear.b.dam which we've been seeing for
several days now.  It'll be included in 4271 on Wednesday, but that wasn't
soon enough for us.  Also, the extra.dat for W32/Bugbear.b was out much
earlier than the actual 4270.  There are reasons for using extra.dat.

I've also noticed there are other outputs from uvscan like:

Found trojan or variant Exploit-CodeBase !!!

which requires checking like such:

            if (($CurrentVirusScannerMessage =~ m/^\s+Found the (\S+) (\S+ )?virus/) ||
                ($CurrentVirusScannerMessage =~ m/^\s+Found .+ variant (\S+) /));

These aren't related to the use of extra.dat.


On another note, we are going to start defanging messages by renaming harmful
attachments (its been political).  Can I ask how others have gone about this?
What do you do with attachments named like?:

www.wpuniverse.com/vb/showthread.php?s=&threadid=9743

I was going to change any extension to .xxx_unknown which would make this
become:

www.wpuniverse.com/vb/showthread.php_unknown?s=&threadid=9743

Thanks,
Jeremy


+>Date: Tue, 10 Jun 2003 01:32:06 -0600 (MDT)
+>Subject: Re: [Mimedefang] uvscan - detecting virus name
+>From: "Lucas Albers" <admin at cs.montana.edu>
+>To: mimedefang at lists.roaringpenguin.com
+>Reply-To: mimedefang at lists.roaringpenguin.com
+>
+>Should you be running dat file auto update?
+>Scan engine v4.2.40 for Linux.
+>Virus data file v4270 created Jun 05 2003
+>Scanning for 73906 viruses, trojans and variants.
+>
+>Current : 4270
+>
+>my update shows the latest dat as 4270.
+>
+>Try the uvscan auto-update for mcafee linux virus scanner:
+>http://www.bluestream.org/Networking/McAfeeLinuxUpdate.htm
+>
+>I run it every hour, as I needed to update the scanner fast, to catch
+>virus's quick.
+>I got tired of virus's slipping by my scanner and having to reload windows.
+>--Luke
+>
+>
+>> The parsing of uvscan output doesn't account for definitions included via
+>> extra.dat.  That output includes an additional '(ED)' in both 4.1.60 and
+>> 4.2.40 engines, like:
+>>
+>> Found the W32/Bugbear.b.dam (ED) virus !!!
+>>
+>> You might might to include a change like this in the code to account for
+>> this:
+>>
+>> <           if ($CurrentVirusScannerMessage =~ m/^\s+Found the (\S+)
+>> virus/);
+>> ---
+>>>           if ($CurrentVirusScannerMessage =~ m/^\s+Found the (\S+) (\S+
+>>> )?virus/);
+>>
+>>
+>> Thanks,
+>> Jeremy
+>>
+>> --
+>> Office of Information Technologies
+>>  - Infrastructure Services
+>> University of Notre Dame
+>> jeremy at nd.edu
+>> _______________________________________________
+>> MIMEDefang mailing list
+>> MIMEDefang at lists.roaringpenguin.com
+>> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
+>>
+>
+>



More information about the MIMEDefang mailing list