Small problem
Julian Field
mailscanner at ecs.soton.ac.uk
Wed Oct 27 20:06:47 IST 2004
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Denis Beauchemin wrote:
> Julian Field wrote:
>
>>
>>
>> Julian Field wrote:
>>
>>> Denis Beauchemin wrote:
>>>
>>>> Julian Field wrote:
>>>>
>>>>> Denis Beauchemin wrote:
>>>>>
>>>>>> Julian Field wrote:
>>>>>>
>>>>>>> Sure. Patch for SweepViruses.pm attached.
>>>>>>>
>>>>>>> Please let me know if it fixes the problem for you.
>>>>>>>
>>>>>>>
>>>>>>> On 27/10/04 3:54 pm, "Denis Beauchemin"
>>>>>>> <Denis.Beauchemin at USHERBROOKE.CA>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Julian Field wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Unfortunately that one isn't easy to fix, it comes straight from
>>>>>>>>> the virus
>>>>>>>>> report, and I'm not sure whether I can get at the real name
>>>>>>>>> safely
>>>>>>>>> from
>>>>>>>>> there. Judging by the fact that it's also listed in upper case, I
>>>>>>>>> suspect I
>>>>>>>>> can't find the safe name. The lookup table will have the lower
>>>>>>>>> case
>>>>>>>>> version.
>>>>>>>>> I can't just generally force the names to lower case as that may
>>>>>>>>> cause other
>>>>>>>>> filename clashes.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 27/10/04 1:42 pm, "Denis Beauchemin"
>>>>>>>>> <Denis.Beauchemin at USHERBROOKE.CA>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> MS seems to forget to clean file names when a virus is
>>>>>>>>>> detected in
>>>>>>>>>> a ZIP
>>>>>>>>>> file:
>>>>>>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>>>>>>> /i9RBth1s025464/message.txt .scr Found the
>>>>>>>>>> W32/Mabutu.a at MM
>>>>>>>>>> virus !!!
>>>>>>>>>> Oct 27 07:56:05 132.210.244.90 MailScanner[12979]:
>>>>>>>>>> /i9RBth1s025464/message.zip/MESSAGE.TXT
>>>>>>>>>> .SCR Found the W32/Mabutu.a at MM virus !!!
>>>>>>>>>>
>>>>>>>>>> This is McAfee syslog output on MS 4.35.1. The first line is OK
>>>>>>>>>> but the
>>>>>>>>>> second one has lots of white space...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> Julian,
>>>>>>>>
>>>>>>>> Understood. But what was really annoying me was the long file
>>>>>>>> name
>>>>>>>> (many spaces before the .scr).
>>>>>>>>
>>>>>>>> Couldn't you just sanitize this with something like s/\s+/ /g
>>>>>>>> before
>>>>>>>> using it in reports and logs?
>>>>>>>>
>>>>>>>> Denis
>>>>>>>>
>>>>>> Julian,
>>>>>>
>>>>>> It's not working. I stopped and restarted MS and I still get the
>>>>>> following in my logs (McAfee and Bitdefender output):
>>>>>>
>>>>>> Oct 27 12:03:28 smtpi2 MailScanner[29112]:
>>>>>> /i9RG3KwO029166/message.zip/MESSAGE.TXT
>>>>>> .SCR Found the W32/Mabutu.a at MM virus !!!
>>>>>>
>>>>>> Oct 27 12:03:29 smtpi2 MailScanner[29112]:
>>>>>> /var/spool/MailScanner/incoming/29112/./i9RG3KwO029166/message.zip=>message.txt
>>>>>>
>>>>>>
>>>>>>
>>>>>> .scr infected: Win32.Mabutu.A at mm
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> It wasn't the syslog output I fixed, it was the output that goes
>>>>> in the
>>>>> user report. I would rather have the genuine text in the syslog, it's
>>>>> length-limited by the syslog spec anyway.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Julian,
>>>>
>>>> Then it is working, but it was not what I was looking for... 8-(
>>>
>>>
>>>
>>>
>>> That's a shame. I could edit every single output parser to do the same
>>> trick if you like.
>>
>>
>>
>> Attached is a new SweepViruses.pm. Let me know how you get on.
>
>
>
> Julian,
>
> This is exactly what I was looking for! Muchas gracias again!
>
> Will it be included in the next release?
Definitely. Next release will be the stable one for November.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list