[Mimedefang] klez detection

-ray ray at ops.selu.edu
Mon Mar 31 13:53:01 EST 2003


Hello all,
I am using the following snippet in filter to detect and discard klez 
virii:

         if (join("",@{$entity->body}) =~ /TVqQAAMAAAAEAAAA/) {
            md_log('klez_virus', $fname, $type);
            action_quarantine_entire_message('Caught a Klez virus');
            return action_discard();
            }

this is until we decide on a real virus scanner.  However i believe a few
attachments may have come through that contained the string
TVqQAAMAAAAEAAAA but were not actually klez infected.  Has anyone seen
this before or use this technique to detect klez?  Is there a better way
to detect klez attachments?  thanks for any info...

-ray
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean  				       	 http://www.r-a-y.org
Systems Engineer                    Southeastern Louisiana University
IBM Certified Specialist  	      AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=





More information about the MIMEDefang mailing list