McAfee PROBLEM !!! (solved)

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Wed Mar 3 17:14:34 GMT 2004 

Many infected password-protected zip files passed through our McAfee AV
(using 4332).  Nonetheless we detected 341 W32/Bagle.j at MM since
midnight.

To block password-protected zip files in my current MS
(mailscanner-4.23-11), I did the following:

- modify /usr/lib/MailScanner/mcafee-wrapper this way:
#!/bin/bash

#   MailScanner - SMTP E-Mail Virus Scanner
#   Copyright (C) 2001  Julian Field
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 
02111-1307  USA
#
#   The author, Julian Field, can be contacted by email at
#      Jules at JulianField.net
#   or by paper mail at
#      Julian Field
#      Dept of Electronics & Computer Science
#      University of Southampton
#      Southampton
#      SO17 1BJ
#      United Kingdom
#

# JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH
# Modified for solaris by CJG
# Then tweaked for heron by JKF again
# Then tweaked for McAfee by JKF
# Modified (badly!) by SEP398 to work with the update script

PackageDir=$1
shift
prog=uvscan # `basename $0`
datDIR=$PackageDir

LD_LIBRARY_PATH=$PackageDir
export LD_LIBRARY_PATH

if [ "x$1" = "x-IsItInstalled" ]; then
  [ -x ${PackageDir}/$prog ] && exit 0
  exit 1
fi

OUTPUT=$(${PackageDir}/$prog -d $datDIR "$@" 2>&1 )
RC=$?

if [[ "$OUTPUT" = "" ]]; then
  exit $RC
else
  echo "$OUTPUT"
  if [[ $(echo "$OUTPUT" | grep -c "password-protected") > 0 ]]; then
    exit 13
  else
    exit $RC
  fi
fi


- modify /usr/lib/MailScanner/MailScanner/SweepViruses.pm this way:
in "sub ProcessMcAfeeOutput", change
  return 0 unless $line =~ /Found/;
for
  return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/));

- stop MailScanner and restart it
- remove any extra.dat that detects some password-protected zip files.

Denis
Le mer 03/03/2004 à 11:34, Michael Baird a écrit :
> Good Question, Does DAT 4332 fix it, my understanding was that it
> handled the unzipping and so forth, and MailScanner interpreted the
> response, I'm looking for confirmation, I'm running an older version of
> MailScanner (4.25-14 I believe), I hate to upgrade unless it's
> necessary.
> 
> Regards
> MIKE
> 
> > Does DAT 4332 fix it?
> > 
> > Phil
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK 
> > 
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of Desai, Jason
> > > Sent: 02 March 2004 20:56
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: McAfee PROBLEM !!!
> > > 
> > > 
> > > Thanks for this info - it was very helpful!  I have the same results.
> > > 
> > > Jason
> > > 
> > > > -----Original Message-----
> > > > From: Denis Beauchemin [mailto:Denis.Beauchemin at USHERBROOKE.CA] 
> > > > Sent: Tuesday, March 02, 2004 2:09 PM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: [MAILSCANNER] McAfee PROBLEM !!!
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > We installed the extra.dat this morning and it was catching some
> > > > W32/Bagle.gen!pwdzip (ED) with dat 4330.
> > > > 
> > > > Now that dat 4331 is out the same files are not detected as viruses
> > > > anymore!!!
> > > > 
> > > > I reinstalled the extra.dat to be sure they are detected.
> > > > 
> > > > Scan with 4331:
> > > > # uvscan --mime --mailbox --secure *
> > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/
> > > > WBJAMVF.SCR
> > > >         is password-protected.
> > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum
> > > > ent.zip/WBJAMVF.SCR
> > > >         is password-protected.
> > > > 
> > > > Scan with 4331 and extra.dat:
> > > > # uvscan --mime --mailbox --secure *
> > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip
> > > >         Found the W32/Bagle.gen!pwdzip (ED) virus !!!
> > > > 
> > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip
> > > >         Found the W32/Bagle.gen!pwdzip (ED) virus !!!
> > > > 
> > > > Denis
> > > > -- 
> > > > Denis Beauchemin, analyste
> > > > Université de Sherbrooke, S.T.I.
> > > > T: 819.821.8000x2252 F: 819.821.8045
> > > > 
> > > 
> > 
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list