Small problem
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Wed Oct 27 19:59:09 IST 2004
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Julian Field wrote:
>
>
> Julian Field wrote:
>
>> Denis Beauchemin wrote:
>>
>>> Julian Field wrote:
>>>
>>>> Denis Beauchemin wrote:
>>>>
>>>>> Julian Field wrote:
>>>>>
>>>>>> Sure. Patch for SweepViruses.pm attached.
>>>>>>
>>>>>> Please let me know if it fixes the problem for you.
>>>>>>
>>>>>>
>>>>>> On 27/10/04 3:54 pm, "Denis Beauchemin"
>>>>>> <Denis.Beauchemin at USHERBROOKE.CA>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Julian Field wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Unfortunately that one isn't easy to fix, it comes straight from
>>>>>>>> the virus
>>>>>>>> report, and I'm not sure whether I can get at the real name safely
>>>>>>>> from
>>>>>>>> there. Judging by the fact that it's also listed in upper case, I
>>>>>>>> suspect I
>>>>>>>> can't find the safe name. The lookup table will have the lower
>>>>>>>> case
>>>>>>>> version.
>>>>>>>> I can't just generally force the names to lower case as that may
>>>>>>>> cause other
>>>>>>>> filename clashes.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 27/10/04 1:42 pm, "Denis Beauchemin"
>>>>>>>> <Denis.Beauchemin at USHERBROOKE.CA>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> MS seems to forget to clean file names when a virus is
>>>>>>>>> detected in
>>>>>>>>> a ZIP
>>>>>>>>> file:
>>>>>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>>>>>> /i9RBth1s025464/message.txt .scr Found the
>>>>>>>>> W32/Mabutu.a at MM
>>>>>>>>> virus !!!
>>>>>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>>>>>> /i9RBth1s025464/message.zip/MESSAGE.TXT
>>>>>>>>> .SCR Found the W32/Mabutu.a at MM virus !!!
>>>>>>>>>
>>>>>>>>> This is McAfee syslog output on MS 4.35.1. The first line is OK
>>>>>>>>> but the
>>>>>>>>> second one has lots of white space...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>> Julian,
>>>>>>>
>>>>>>> Understood. But what was really annoying me was the long file name
>>>>>>> (many spaces before the .scr).
>>>>>>>
>>>>>>> Couldn't you just sanitize this with something like s/\s+/ /g
>>>>>>> before
>>>>>>> using it in reports and logs?
>>>>>>>
>>>>>>> Denis
>>>>>>>
>>>>> Julian,
>>>>>
>>>>> It's not working. I stopped and restarted MS and I still get the
>>>>> following in my logs (McAfee and Bitdefender output):
>>>>>
>>>>> Oct 27 12:03:28 smtpi2 MailScanner[29112]:
>>>>> /i9RG3KwO029166/message.zip/MESSAGE.TXT
>>>>> .SCR Found the W32/Mabutu.a at MM virus !!!
>>>>>
>>>>> Oct 27 12:03:29 smtpi2 MailScanner[29112]:
>>>>> /var/spool/MailScanner/incoming/29112/./i9RG3KwO029166/message.zip=>message.txt
>>>>>
>>>>>
>>>>>
>>>>> .scr infected: Win32.Mabutu.A at mm
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> It wasn't the syslog output I fixed, it was the output that goes in
>>>> the
>>>> user report. I would rather have the genuine text in the syslog, it's
>>>> length-limited by the syslog spec anyway.
>>>
>>>
>>>
>>>
>>>
>>> Julian,
>>>
>>> Then it is working, but it was not what I was looking for... 8-(
>>
>>
>>
>> That's a shame. I could edit every single output parser to do the same
>> trick if you like.
>
>
> Attached is a new SweepViruses.pm. Let me know how you get on.
Julian,
This is exactly what I was looking for! Muchas gracias again!
Will it be included in the next release?
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x2252 F: 819.821.8045
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list