clamav and RAR..(update and feature request)
Steen, Glenn
Glenn.Steen at AP1.SE
Mon Mar 7 14:08:39 GMT 2005
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Rick Cooper
> Sent: den 7 mars 2005 15:03
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: clamav and RAR..(update and feature request)
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Steen, Glenn
> > Sent: Monday, March 07, 2005 8:01 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: clamav and RAR..(update and feature request)
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Martin Hepworth
> > > Sent: den 7 mars 2005 10:29
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: clamav and RAR..(update and feature request)
> > >
> > (snip)
> > > I caught two RAR viruses over the w/end, Sophos also picked
> > > them up. But
> > (snip)
> > > Report: ClamAV: 075466.rar contains Worm.Bagle.BA-RAR
> > > SophosSAVI: 075466.rar was infected by Troj/BagleDl-M
> > Isn't that just a ClamAV signature for the entire RAR file?
> > We saw a few more than 2, the first couple or so found by mcafee and
> > bitdefender, and after a while by that exact clam sig.
> >
> > I don't use any version 3 capable unrar, except what bdc and uvscan
> > might be able to do (If any slip through, the second level filename
> > checks get them... And those were quiet:).
> >
> > -- Glenn (who will need look into using the new unrar features:)
> >
>
> I use f-prot, clamavmodule and bdc. We recieved 11 of these
> before any of
> those vendors were catching them, but I happend to get a
> notice from another
> list and added a check for ^[0-9]{6,}\.exe in my Archived
> FileName Rules
> file(s) and they were picked up. However without UnPackRar
> function your
> file name checks would have been quiet because MS would not
> have been able
> to unpack the file to do the tests, unless you just block all
> .rar files.
>
> Rick
Thanks for the info Rick, but you missread me... We don't allow RAR
files
at all and block them in the mailstore, not in MS (well, there too,
but..:)
-- Glenn
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list