On Fri, 14 Feb 2003, Nigel Kukard wrote: > most klez infections use the IFrame exploit, so infact the IFrame Exploit > will match before the klez one. what we do is break up the email into all > the mime peices, decode them and scan the individual portions, most of the > time clamscan picks up both iframe & klez, iframe being the first mime part > of the message...
That's exactly the sort of thing i've been seeing. Example: /var/log/amavis/amavis-02459327/parts/msg-55339-1.html: Exploit.IFrame.HTML FOUND /var/log/amavis/amavis-02459327/parts/msg-55339-2.pif: Worm/Klez.H FOUND /var/log/amavis/amavis-02459327/parts/msg-55339-3.txt: OK I was a little curious about it, but I'm glad to see that that's how it's supposed to work. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
