Filename User Report Text Used for Virus: Rule Matching
Derek Winkler
dwinkler at ALGORITHMICS.COM
Tue Jun 1 19:03:15 IST 2004
No sure if this is a feature or a bug...
Had a user who wanted to get past the senders blocking rules and decided to
rename a .zip to .zi.
On my system I have a rule in filename.rules.conf which blocks this
extension as a possible Sobig variant.
I also use a ruleset for "Quarantine Infections".
Turns out it used the user report text in filename.rules.conf to match
against Virus: lines in the ruleset.
Since filename.rules.conf uses 'Potential "WORM_SOBIG" Virus Variant' as the
user report text and the rules have the line "Virus: Sobig no" the
attachment was not quarantined.
Not really a problem now that I know about it but maybe adding a comment to
filename.rules.conf that user report text is used to match against Virus:
rules would be helpful.
Thanks,
Derek Winkler
Security Administrator
Algorithmics
185 Spadina Ave
Toronto, Ontario
Canada
M5T 2C6
Phone: 416-217-4107
Fax: 416-971-6100
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list