anomy-list

Re: Re: zip files from W32/Mydoom@MM

From: Rick Johnson (111744@xyz.molar.is)
Date: Tue 27 Jan 2004 - 18:19:39 GMT

  • Next message: Kimmo Suominen: "Re: zip files from W32/Mydoom@MM"

    Thomas von Hassel wrote:
    >>
    >> You need the 4139 DAT. I had to download their daily untested yesterday
    >> in order to "catch" the virus. 4139 was released last night, which
    >> appears to be catching it.
    >>
    >> Fortunately, SpamAssassin's baysean filter caught on soon enough, and at
    >> least flagged a good portion as spam which should help deter any users
    >> which got the attachment before I was able to update my DAT's myself.
    >>
    >
    > hmm, wierd, i've got 4139 and a couple of *.zip files i fed through
    > uvscan came back negative ...

    Make sure you scan with the --secure flag to have it force opening of
    archives.

    Within sanitizer, I hand-off to a wrapper script which calls:

    /usr/local/bin/uvscan --clean --noexpire --secure - $1

    My sanitizer line looks like:

    file_list_X_scanner = 0:19:12,13:/usr/local/bin/uvscan.sh %FILENAME

    Exit codes: 0 is clean, 19 is the "found but cleaned", 12 Tried to
    clean, but still infected, and 13 is one or more hostile objects found,
    not cleaned.

    man uvscan for more info.

    HTH,
    -Rick

    -- 
    Rick Johnson, RHCE #807302311706007 - 111744@xyz.molar.is
    Linux/Network Administrator - Medata, Inc.
    PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc
    



    hosted by molar.is