Small problem

Julian Field mailscanner at ecs.soton.ac.uk
Wed Oct 27 17:22:34 IST 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Denis Beauchemin wrote:

> Julian Field wrote:
>
>> Sure. Patch for SweepViruses.pm attached.
>>
>> Please let me know if it fixes the problem for you.
>>
>>
>> On 27/10/04 3:54 pm, "Denis Beauchemin"
>> <Denis.Beauchemin at USHERBROOKE.CA>
>> wrote:
>>
>>
>>
>>> Julian Field wrote:
>>>
>>>
>>>
>>>> Unfortunately that one isn't easy to fix, it comes straight from
>>>> the virus
>>>> report, and I'm not sure whether I can get at the real name safely
>>>> from
>>>> there. Judging by the fact that it's also listed in upper case, I
>>>> suspect I
>>>> can't find the safe name. The lookup table will have the lower case
>>>> version.
>>>> I can't just generally force the names to lower case as that may
>>>> cause other
>>>> filename clashes.
>>>>
>>>>
>>>> On 27/10/04 1:42 pm, "Denis Beauchemin"
>>>> <Denis.Beauchemin at USHERBROOKE.CA>
>>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> MS seems to forget to clean file names when a virus is detected in
>>>>> a ZIP
>>>>> file:
>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>> /i9RBth1s025464/message.txt   .scr        Found the W32/Mabutu.a at MM
>>>>> virus !!!
>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>> /i9RBth1s025464/message.zip/MESSAGE.TXT
>>>>> .SCR        Found the W32/Mabutu.a at MM virus !!!
>>>>>
>>>>> This is McAfee syslog output on MS 4.35.1.  The first line is OK
>>>>> but the
>>>>> second one has lots of white space...
>>>>>
>>>>>
>>>>>
>>>>
>>> Julian,
>>>
>>> Understood.  But what was really annoying me was the long file name
>>> (many spaces before the .scr).
>>>
>>> Couldn't you just sanitize this with something like s/\s+/ /g before
>>> using it in reports and logs?
>>>
>>> Denis
>>>
> Julian,
>
> It's not working.  I stopped and restarted MS and I still get the
> following in my logs (McAfee and Bitdefender output):
>
> Oct 27 12:03:28 smtpi2 MailScanner[29112]:
> /i9RG3KwO029166/message.zip/MESSAGE.TXT
> .SCR        Found the W32/Mabutu.a at MM virus !!!
>
> Oct 27 12:03:29 smtpi2 MailScanner[29112]:
> /var/spool/MailScanner/incoming/29112/./i9RG3KwO029166/message.zip=>message.txt
> .scr    infected: Win32.Mabutu.A at mm

It wasn't the syslog output I fixed, it was the output that goes in the
user report. I would rather have the genuine text in the syslog, it's
length-limited by the syslog spec anyway.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).




More information about the MailScanner mailing list