updated novarg check (Was Re: [Mimedefang] Huge messages causing "try again later")

Paul Whittney pwhittney at net.bacconsulting.com
Thu Feb 26 16:23:51 EST 2004 

Lucas,

No problem, wish I could have helped more. I am happy that the novarg test
didnt break things...

I have found a better way of doing the same thing.

    # Novarg Detection - PWhittney V1.1 2/25/04
    #
    if (lc($ext) =~ /zip/) {
        my $lines = $entity->body();
        my $found = 0;
        if (scalar( @$lines )) {
            # It has lines....
            my $line = @$lines[0];
            $found = ( ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) ||
                ($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) );
        }
        if ($found) {
            md_graphdefang_log('virus', "Found NoVarg Virus");
			# Change this if you dont want the subject changed:
            action_change_header('Subject', '[VIRUS?] ' . $Subject);
            action_delete_all_headers('X-Virus-Status');
            action_add_header('X-Virus-Status', "Yes, name=NoVarg");
            action_drop_with_warning(
                "Dropped $fname ($type) containing virus NoVarg."
            );
            action_quarantine($entity,
                "A known virus signature was detected, and removed\n");
            return;
        }
    }
	# end of novarg code

I'm trying to see if I can match the netsky virus the same way, but all I can
find is the EXE format, which mimedefang strips out. I'm just trying to avoid
decompressing anything, when I could match the base64 encoding... Currently
looking into Scan.pm to see if I could add parts of a zip to the scanner.

Hope this helps someone, I'm not protecting many email accounts, but the 
novarg code found 900 messages this month alone, and I've verified the 
data to be the NovArg virus, so all those bounced failure messages didn't
contain the virus... phew.

-Paul

On Thu, Feb 26, 2004 at 11:54:53AM -0800, sysadmin at omsoft.com wrote:
> Well I figured out that it has nothing to do with the Novarg code. I removed it 
> completely and the problem still occurred. However, after increasing the busy 
> timeout to 600 on the multiplexor, I have seen no more instances of the 
> problem. Thanks for your help, Paul and Michael.
> 
> Lucas

More information about the MIMEDefang mailing list