the "ins" and "outs" of McAfee with MailScanner

[Randal, Phil]

I was wondering about the "daily" file too.  You'd need to do some datestamp
checking to only use the dialy file if it was newer that the released .dat
file.  A good idea, nonetheless.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Denis Beauchemin
> Sent: 24 February 2004 14:06
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: the "ins" and "outs" of McAfee with MailScanner
> 
> 
> Le mar 24/02/2004 à 05:11, Tony Finch a écrit :
> > Chris Yuzik <chris at FRACTALWEB.COM> wrote:
> > >
> > >Although I'm quite familiar with ClamAV, I'm somewhat of a 
> noob when it
> > >comes to McAfee. I have a few questions:
> > >1) How often does MailScanner check the NAI site for new 
> DAT files? I
> > >couldn't seem to find anything on this.
> > 
> > That's up to your crontab.
> > 
> > >2) Is there a log file anywhere that I can look at to see 
> when the DAT
> > >files are updated?
> > 
> > The autoupdate script by default says nothing when it does nothing,
> > and produces output when it makes an update, so normal cron 
> behaviour
> > means you get an email when there's an update.
> > 
> > >3) I understand that there are DAT files, extra DAT files, and
> > >super-extra DAT files? Does MailScanner update these too? 
> Or do I have
> > >to do these manually?
> > 
> > The only one of interest to us is the extra.dat files. Unfortunately
> > using them automatically doesn't seem to be particularly 
> easy. It might
> > be possible to subscribe to NAI's notification email, pipe 
> that into a
> > script which works out what's going on and if necessary goes to the
> > new virus's web page (whose URL is in the email) to find the link to
> > the extra.dat file. But I haven't written this script.
> > 
> > Tony.
> > --
> > f.a.n.finch  <dot at dotat.at>  http://dotat.at/
> > SHANNON ROCKALL MALIN: NORTH OR NORTHWEST 5 TO 7. RAIN THEN 
> SHOWERS. MODERATE
> > OR GOOD.
> 
> Tony,
> 
> How about the daily DAT file? (see 
> http://vil.nai.com/vil/virus-4d.asp)
> 
> Do you think it could be automated in
> /usr/lib/MailScanner/mcafee-autoupdate ?
> 
> I am beginning to feel quite nervous about permitting ZIP 
> files through
> since Mydoom has caught us off guard (McAfee left us 
> unprotected for the
> first 7 hours of the Mydoom strike)...  Since then I 
> installed manually
> 2 extra.dat (Netsky and Mydoom.f) but I feel uneasy about this manual
> process (I have to react quickly to every AVERT notification 
> and I also
> have to remember to delete those extra.dat when they are no longer
> needed).
> 
> Denis
> -- 
> Denis Beauchemin, analyste
> Université de Sherbrooke, S.T.I.
> T: 819.821.8000x2252 F: 819.821.8045
>