Wrong options for McAfee uvscan?

Desai, Jason jase at SENSIS.COM
Fri Aug 1 20:48:01 IST 2003 

(Replying to my own post ...)  It also seems to get by McAfee version
4.24.0, which I think it the latest available.

$ uvscan --version
Virus Scan for Linux v4.24.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832  LICENSED COPY - Jan 27 2003

Scan engine v4.2.40 for Linux.
Virus data file v4281 created Jul 30 2003
Scanning for 77468 viruses, trojans and variants.

Jason

>
> Hi Richard.  I don't know if this is ok, but I just received
> an email with
> an attachment zip file too, and had the same problem.  And I
> too narrowed it
> down to the "--mime" option.  I'm not sure if it's needed or
> not, but I can
> confirm the problem, and I too have a sample .zip file if
> someone wants it.
>
> I would guess that this is a mcafee problem though, right?
>
> I'm running:
>
> $ uvscan --version
> Virus Scan for Linux v4.16.0
> Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights
> reserved.
> (408) 988-3832  LICENSED COPY - Nov 13 2001
>
> Scan engine v4.1.60 for Linux.
> Virus data file v4281 created Jul 30 2003
> Scanning for 77468 viruses, trojans and variants.
>
> Jason
>
> > -----Original Message-----
> > From: Richard Bollinger [mailto:rabollinger at COMCAST.NET]
> > Sent: Friday, August 01, 2003 3:02 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: [MAILSCANNER] Wrong options for McAfee uvscan?
> >
> >
> > In SweepViruses.pm, the code snippet which specifies the
> > options used to invoke uvscan is as
> > follows:
> >
> > mcafee => {
> >     Name => 'McAfee',
> >     Lock => 'McAfeeBusy.lock',
> >     CommonOptions => '--recursive --ignore-links --analyze
> --mime ' .
> >                            '--secure --noboot',
> >     DisinfectOptions => '--clean',
> >     ScanOptions => '',
> >     InitParser => \&InitMcAfeeParser,
> >     ProcessOutput => \&ProcessMcAfeeOutput,
> >     SupportScanning => $S_SUPPORTED,
> >     SupportDisinfect => $S_SUPPORTED,
> >   },
> >
> > Apparently, when you include the "--mime" option, uvscan
> > misses certain viruses embedded in zip
> > files... specifically, what they McAfee calls the
> > "Exploit-CodeBase trojan".  I have a sample zip
> > file I can send off list if you need proof.
> >
> > I'm considering dropping --mime... we shouldn't need it
> > because we already break down attachments
> > into individual files before running the scanner, right?
> >
> > Also, per the manual page, --secure includes --analyse, so
> > --analyze can be dropped as well...
> > yeilding the following trial patch:
> >
> > --- SweepViruses.pm.FCS Wed May 14 15:46:21 2003
> > +++ SweepViruses.pm Fri Aug  1 14:59:18 2003
> > @@ -96,7 +96,7 @@
> >    mcafee => {
> >      Name => 'McAfee',
> >      Lock => 'McAfeeBusy.lock',
> > -    CommonOptions => '--recursive --ignore-links --analyze
> --mime ' .
> > +    CommonOptions => '--recursive --ignore-links ' .
> >                             '--secure --noboot',
> >      DisinfectOptions => '--clean',
> >      ScanOptions => '',
> >
> > Any reason why this shouldn't be OK?
> >
> > Rich B
> >
>

More information about the MailScanner mailing list