Problems since the new McAfee dat file 4252

Julian Field mailscanner at ecs.soton.ac.uk
Thu Mar 13 15:04:29 GMT 2003 

If you look in sweep.pl you should find a function ProcessMcAfeeOutput.

Comment out your current version (don't just delete it, you might need it
again!). Add this version:

sub ProcessMcAfeeOutput {
   my($line, $infections, $types, $BaseDir) = @_;

   my($lastline, $report, $dot, $id, $part, @rest);
   my($logout);

   chomp $line;
   $lastline = $currentline;
   $currentline = $line;

   # SEP: need to add code to log warnings
   return 0 unless $line =~ /Found/;

   # McAfee prints the whole path as opposed to
   # ./messages/part so make it the same
   $lastline =~ s/$BaseDir//;

   # make an equivalent report line from the last 2
   $report = "$lastline$currentline";
   $logout = $report;
   $logout =~ s/%/%%/g;
   #MailScanner::Log::InfoLog($logout);
   # note: '$dot' does not become '.'
   ($dot, $id, $part, @rest) = split(/\//, $lastline);
   $infections->{"$id"}{"$part"} .= $report . "\n";
   $types->{"$id"}{"$part"} .= "v";
   return 1;
}

I have commented out the "Log" line as that won't work in version 3. If you
look through your original version in sweep.pl you will soon see what that
line needs to be.

At 14:07 13/03/2003, you wrote:
>Here is a copy of the file h2DAmR5G020453.vir :
>
>Return-Path: <g>
>Received: from xx ([xx])
>         by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453
>         for <xx>; Thu, 13 Mar 2003 03:48:28 -0700
>Full-Name: Yuriy Toropin
>From: xx
>To: xx
>Subject: Meeting with representative from Vested Development Inc.
>Date: Thu, 13 Mar 2003 13:52:30 +0300
>Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0 at mxpyuriy>
>MIME-Version: 1.0
>Content-Type: text/calendar; method=REQUEST;
>         charset="utf-8"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.4024
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>Importance: Normal
>
>
>Here is the output from uvscan:
>
># uvscan --recursive --ignore-links --analyze --secure --noboot
>h2DAmR5G020453.vir
>/root/h2DAmR5G020453.vir
>         Found trojan or variant Exploit-CTCalendar !!!
>         Please send a copy of the file to Network Associates
>
>
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Thursday, March 13, 2003 3:14 AM
>Subject: Re: Problems since the new McAfee dat file 4252
>
>
> > At 22:49 12/03/2003, you wrote:
> > >I know I'm running a very old version of mailscanner, 3.14, which may be
> > >the problem, but since the new dat file came out, Office XP calendar
> > >meeting requests are being reported as Exploit-CTCalendar and then the
> > >scanner crashes and reports the virus again, 50-60 times a minute until I
> > >delete the message from the incoming folder. Is there anything I can do,
> > >short of upgrading the a new version, to fix this problem?
> >
> > What happens when you run mcafee on the files by hand? Can you mail me the
> > exact output please, and I'll find out what new versions do with it.
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list