Myparty Strangeness

Julian Field jkf at ecs.soton.ac.uk
Wed Jan 30 14:16:49 GMT 2002


At 14:07 30/01/2002, you wrote:
>The problem is not there.  I do have the extras.dat that includes myparty
>updates.  I run two versions of 'virus scanning of email'  Mailscanner at
>home, amavis at work, both using mcafee uvscan.  Amavis is currently
>blocking myparty, mailscanner is not.
>
>Scan engine v4.1.60 for Linux.
>Virus data file v4183 created Jan 24 2002
>Scanning for 59703 viruses, trojans and variants.
>Using /usr/local/uvscan/extra.dat to scan for 2 additional virus(es).

This has to be some weird McAfee problem, as Sophos happily detects it. I
wonder if McAfee is producing some strange output that is not picked up
correctly by the parser? If you feel up to it, could you try the following:

Edit sweep.pl, and look for the definition of ProcessMcAfeeOutput. Change
the start of that function so it looks like this:

sub ProcessMcAfeeOutput {
   my($line, $infections, $types, $BaseDir) = @_;

   my($lastline, $report, $dot, $id, $part, @rest);

   chomp $line;
   print STDERR "McAfee says \"$line\"\n"; # INSERT THIS LINE
   $lastline = $currentline;
   $currentline = $line;

then run MailScanner from the command line (using the check_mailscanner
script). Send the server a copy of MyParty and mail me the output. It
should show something about MyParty...

This will tell us what McAfee actually outputs, so we can check that the
parser is correctly catching the notification.

>----- Original Message -----
>From: "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Wednesday, January 30, 2002 7:19 AM
>Subject: Re: Myparty Strangeness
>
>
> > Nick
> >
> > I wonder if the problem lies with the particular ".DAT" file used by
> > uvscan?
> >
> > The MyParty virus signature is not recognised by any NAI ".DAT" files
> > prior to 4184, due out on 30/1/2002. You need a special "extras" .DAT
> > file from them to recognise this virus until 4184 is released.
> >
> > You can send a test message to me as we run MailScanner with uvscan.
> >
> > Quentin
> > ---
> > PHONE: +44 191 222 8209    Computing Service, University of Newcastle
> > FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
> > ------------------------------------------------------------------------
> > "Any opinion expressed above is mine. The University can get its own."
> >
> > > -----Original Message-----
> > > From: Nick Phillips [mailto:nwp at LEMON-COMPUTING.COM]
> > > Sent: 30 January 2002 12:12
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Myparty Strangeness
> > >
> > >
> > > On Tue, Jan 29, 2002 at 08:18:55PM -0500, Alex Short wrote:
> > >
> > > > When someone sends me myparty, it changes myparty.yahoo.com
> > > whichever
> > > > to AB283.dat or something along those lines.  It doesn't detect any
> > > > type of virus either, but if i save AB283.dat then scan it, its
> > > > myparty.
> > >
> > > I've sent Alex the EICAR.COM test "virus" uuencoded in the
> > > body of the message to see whether that gets detected. Maybe
> > > uvscan just doesn't pick up on uuencoded stuff embedded in
> > > plain text - anybody else with uvscan care to try it?
> > > --
> > > Nick Phillips -- nwp at lemon-computing.com
> > > Excellent day for putting Slinkies on an escalator.
> > >
> >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list