Wrong options for McAfee uvscan?

Desai, Jason jase at SENSIS.COM
Fri Aug 1 20:34:24 IST 2003 

Hi Richard.  I don't know if this is ok, but I just received an email with
an attachment zip file too, and had the same problem.  And I too narrowed it
down to the "--mime" option.  I'm not sure if it's needed or not, but I can
confirm the problem, and I too have a sample .zip file if someone wants it.

I would guess that this is a mcafee problem though, right?

I'm running:

$ uvscan --version
Virus Scan for Linux v4.16.0
Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832  LICENSED COPY - Nov 13 2001

Scan engine v4.1.60 for Linux.
Virus data file v4281 created Jul 30 2003
Scanning for 77468 viruses, trojans and variants.

Jason

> -----Original Message-----
> From: Richard Bollinger [mailto:rabollinger at COMCAST.NET]
> Sent: Friday, August 01, 2003 3:02 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MAILSCANNER] Wrong options for McAfee uvscan?
>
>
> In SweepViruses.pm, the code snippet which specifies the
> options used to invoke uvscan is as
> follows:
>
> mcafee => {
>     Name => 'McAfee',
>     Lock => 'McAfeeBusy.lock',
>     CommonOptions => '--recursive --ignore-links --analyze --mime ' .
>                            '--secure --noboot',
>     DisinfectOptions => '--clean',
>     ScanOptions => '',
>     InitParser => \&InitMcAfeeParser,
>     ProcessOutput => \&ProcessMcAfeeOutput,
>     SupportScanning => $S_SUPPORTED,
>     SupportDisinfect => $S_SUPPORTED,
>   },
>
> Apparently, when you include the "--mime" option, uvscan
> misses certain viruses embedded in zip
> files... specifically, what they McAfee calls the
> "Exploit-CodeBase trojan".  I have a sample zip
> file I can send off list if you need proof.
>
> I'm considering dropping --mime... we shouldn't need it
> because we already break down attachments
> into individual files before running the scanner, right?
>
> Also, per the manual page, --secure includes --analyse, so
> --analyze can be dropped as well...
> yeilding the following trial patch:
>
> --- SweepViruses.pm.FCS Wed May 14 15:46:21 2003
> +++ SweepViruses.pm Fri Aug  1 14:59:18 2003
> @@ -96,7 +96,7 @@
>    mcafee => {
>      Name => 'McAfee',
>      Lock => 'McAfeeBusy.lock',
> -    CommonOptions => '--recursive --ignore-links --analyze --mime ' .
> +    CommonOptions => '--recursive --ignore-links ' .
>                             '--secure --noboot',
>      DisinfectOptions => '--clean',
>      ScanOptions => '',
>
> Any reason why this shouldn't be OK?
>
> Rich B
>

More information about the MailScanner mailing list