'Include Scanner Name In Reports' query...
Brian May
brian at UNEARTHED.ORG
Fri Apr 25 19:43:22 IST 2003
Would something like this do the job?
Replace the "Scanner Name" with Scanner
Also, for some reason, ClamAV likes to add "ClamAV: " infront of infected
files... couldn't remove the scanner name from that.. I dunno...
--[start]-------------------------
*** /usr/lib/MailScanner/MailScanner/Message.pm-orig Fri Apr 25 09:46:22
2003
--- /usr/lib/MailScanner/MailScanner/Message.pm Fri Apr 25 11:25:06 2003
***************
*** 1845,1850 ****
--- 1845,1857 ----
$entityreports = $this->{entityreports};
push @everyreport, values %$allreports;
push @everyreport, values %$entityreports;
+ foreach my $rep (@everyreport) {
+ if ($rep =~ m/^([A-Za-z0-9-]+)\: /) {
+ $rep =~ s/$1/Scanner/ig;
+ }
+ }
$report = join('Report: ', @everyreport);
$alltypes = $this->{alltypes};
--[end]---------------------------
----- Original Message -----
From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Friday, April 25, 2003 2:35 AM
Subject: Re: 'Include Scanner Name In Reports' query...
At 10:19 25/04/2003, you wrote:
>Hello all...
>
>I've got 'Include Scanner Name In Reports = yes' set in MailScanner.conf.
>
>In the 'admin' message (i.e. message generated when virus is intercepted)
>I see:
>
>The following e-mail messages were found to have viruses in them:
>
><snip snip>
> MessageID: 2F18414A13B
> Report: SophosSAVI:TMA FORM- Hsm(e) HS203.doc was infected by
WM97/Ethan
> F-Prot:
> /var/spool/MailScanner/incoming/27430/./2F18414A13B/TMA FORM- Hsm(e)
> HS203.doc Infection: W97M/Ethan.A
> McAfee: /2F18414A13B/TMA FORM- Hsm(e) HS203.doc Found
> the W97M/Ethan.a virus !!!
>
>... which I like.
>
>However, in the message to the sender to warn them of their possible
>infection, I also see:
>
>Our virus detector has just been triggered by a message you sent:-
><snip>
>Report: SophosSAVI:TMA FORM- Hsm(e) HS203.doc was infected by WM97/Ethan
>F-Prot: TMA FORM- Hsm(e) HS203.doc Infection: W97M/Ethan.A
>McAfee: TMA FORM- Hsm(e) HS203.doc Found the W97M/Ethan.a virus !!!
>
>It's just a pedantic point, and one that has been mentioned before, but is
>there a way of avoiding revealing the names of the AV scanners going out
>the senders? I think it was mentioned in the past with respect to people
>identifying which AV scanners are being used at a site... it always pays
>to be paranoid ;)
>
>Is this possible, does it involve major Perl brain surgery, or is it not a
>feature people are particularly using?
It's a real pain to do it, as currently the user reports and sysadmin
notices are built from the same array of strings. So you either get them
always or not at all. Sorry about that.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list