'Include Scanner Name In Reports' query...

Julian Field mailscanner at ecs.soton.ac.uk
Fri Apr 25 20:00:27 IST 2003


At 19:43 25/04/2003, you wrote:
>Would something like this do the job?
>
>Replace the "Scanner Name" with Scanner
>
>Also, for some reason, ClamAV likes to add "ClamAV: " infront of infected
>files... couldn't remove the scanner name from that.. I dunno...

Don't understand why, it's pretty much the same code in all the parsers.


>--[start]-------------------------
>*** /usr/lib/MailScanner/MailScanner/Message.pm-orig    Fri Apr 25 09:46:22
>2003
>--- /usr/lib/MailScanner/MailScanner/Message.pm Fri Apr 25 11:25:06 2003
>***************
>*** 1845,1850 ****
>--- 1845,1857 ----
>     $entityreports = $this->{entityreports};
>     push @everyreport, values %$allreports;
>     push @everyreport, values %$entityreports;
>+   foreach my $rep (@everyreport) {
>+     if ($rep =~ m/^([A-Za-z0-9-]+)\: /) {
>+       $rep =~ s/$1/Scanner/ig;
>+     }
>+   }
>     $report = join('Report: ', @everyreport);
>
>     $alltypes    = $this->{alltypes};

That would have to test 2 config options for every message to work
properly, as it needs to check that they already have the scanner name on
the front, and that they want to delete it. Quite an overhead.

>--[end]---------------------------
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Friday, April 25, 2003 2:35 AM
>Subject: Re: 'Include Scanner Name In Reports' query...
>
>
>At 10:19 25/04/2003, you wrote:
> >Hello all...
> >
> >I've got 'Include Scanner Name In Reports = yes' set in MailScanner.conf.
> >
> >In the 'admin' message (i.e. message generated when virus is intercepted)
> >I see:
> >
> >The following e-mail messages were found to have viruses in them:
> >
> ><snip snip>
> >  MessageID: 2F18414A13B
> >     Report: SophosSAVI:TMA FORM- Hsm(e) HS203.doc was infected by
>WM97/Ethan
> >             F-Prot:
> > /var/spool/MailScanner/incoming/27430/./2F18414A13B/TMA FORM- Hsm(e)
> > HS203.doc  Infection: W97M/Ethan.A
> >             McAfee: /2F18414A13B/TMA FORM- Hsm(e) HS203.doc        Found
> > the W97M/Ethan.a virus !!!
> >
> >... which I like.
> >
> >However, in the message to the sender to warn them of their possible
> >infection, I also see:
> >
> >Our virus detector has just been triggered by a message you sent:-
> ><snip>
> >Report: SophosSAVI:TMA FORM- Hsm(e) HS203.doc was infected by WM97/Ethan
> >F-Prot: TMA FORM- Hsm(e) HS203.doc  Infection: W97M/Ethan.A
> >McAfee: TMA FORM- Hsm(e) HS203.doc        Found the W97M/Ethan.a virus !!!
> >
> >It's just a pedantic point, and one that has been mentioned before, but is
> >there a way of avoiding revealing the names of the AV scanners going out
> >the senders? I think it was mentioned in the past with respect to people
> >identifying which AV scanners are being used at a site... it always pays
> >to be paranoid ;)
> >
> >Is this possible, does it involve major Perl brain surgery, or is it not a
> >feature people are particularly using?
>
>It's a real pain to do it, as currently the user reports and sysadmin
>notices are built from the same array of strings. So you either get them
>always or not at all. Sorry about that.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list