Wrong options for McAfee uvscan?
Richard Bollinger
rabollinger at COMCAST.NET
Fri Aug 1 20:02:20 IST 2003
In SweepViruses.pm, the code snippet which specifies the options used to invoke uvscan is as
follows:
mcafee => {
Name => 'McAfee',
Lock => 'McAfeeBusy.lock',
CommonOptions => '--recursive --ignore-links --analyze --mime ' .
'--secure --noboot',
DisinfectOptions => '--clean',
ScanOptions => '',
InitParser => \&InitMcAfeeParser,
ProcessOutput => \&ProcessMcAfeeOutput,
SupportScanning => $S_SUPPORTED,
SupportDisinfect => $S_SUPPORTED,
},
Apparently, when you include the "--mime" option, uvscan misses certain viruses embedded in zip
files... specifically, what they McAfee calls the "Exploit-CodeBase trojan". I have a sample zip
file I can send off list if you need proof.
I'm considering dropping --mime... we shouldn't need it because we already break down attachments
into individual files before running the scanner, right?
Also, per the manual page, --secure includes --analyse, so --analyze can be dropped as well...
yeilding the following trial patch:
--- SweepViruses.pm.FCS Wed May 14 15:46:21 2003
+++ SweepViruses.pm Fri Aug 1 14:59:18 2003
@@ -96,7 +96,7 @@
mcafee => {
Name => 'McAfee',
Lock => 'McAfeeBusy.lock',
- CommonOptions => '--recursive --ignore-links --analyze --mime ' .
+ CommonOptions => '--recursive --ignore-links ' .
'--secure --noboot',
DisinfectOptions => '--clean',
ScanOptions => '',
Any reason why this shouldn't be OK?
Rich B
More information about the MailScanner
mailing list