Fix for MyDoom-O problems
Mariano Absatz
el.baby at GMAIL.COM
Tue Jul 27 21:38:35 IST 2004
On Tue, 27 Jul 2004 22:33:23 +0200, Jim Holland <mailscanner at mango.zw> wrote:
> Hi
>
> On Tue, 27 Jul 2004, Richard Lynch wrote:
>
> > As a side note on the Mydoom.O double zip issue. F-Prot released a new
> > version for unix this past weekend. A a result we have been catching
> > the double zip copies of Mydoom.O from the very beginning. Even before
> > applying Julian's patch.
>
> We are using MailScanner+ClamAV, and what puzzled me was that while
> MailScanner 4.31.6 was letting these viruses through, a manual scan of the
> infected raw messages using ClamAV was always able to identify them as
> Worm.Mydoom.M (at least wef the update we received at 1600 GMT yesterday).
> MailScanner was blocking copies of Worm.Mydoom.M that were not using
> double zip files however. Since installing the new Message.pm file no
> more copies have got through.
Well... this is (probably) because ClamAV includes signatures and a
special mode (I don't know exactly, I never use it from outside
MailScanner) that allows you to find a virus within a mail message or
a mailbox (in standard unix mailbox format).
The problem is that MailScanner never shows ClamAV the 'complete'
message, but only its constituent parts... I've been wondering for a
while if it wouldn't be a good thing to put the complete message in a
file and also give it to ClamAV for parsing... so we get the best of
both worlds...
I also never looked at the virus sweeping process in MailScanner so as
to be able to help, so I didn't try it myself... maybe I'll have time
in a couple of months... maybe Julian thinks it's a nice addition and
puts it in a future version...
--
Mariano Absatz - El Baby
el (dot) baby (AT) gmail (dot) com
el (punto) baby (ARROBA:@) gmail (punto) com
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list