[Clamav-users] Enquiries

Rick Sat, 30 Aug 2003 13:42:24 +0000

Hi All,

I am running on a FreeBSD 5.0 System. I have installed clamv antivirus /
qmail-scanner according to
http://clamav.elektrapro.com/doc/FreeBSD-HowTo/qmail-scanner-how-to.html .


But, i am still getting all of the .pif virus.

As shown below is a copy of my quarantine-attachments.txt file.

# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited.
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# Format: three columns
#
# filename<TAB>size (in bytes)<TAB>Description of virus/whatever
#
# OR:
#
# string<TAB>Header<TAB>Description of virus/whatever
#
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe  0       Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3  0       MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use  this to ban any file (i.e. *.*) that's over
# a certain size  - you should
# "echo 10000000 > /var/qmail/control/databytes"
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow
# you to block Email viruses when you don't know anything else other than
# there's a wierd Subject line (or From line, or X-Spanska: header, ...).
# Note that it's a case-sensitive, REGEX string, and the system will
# automatically surround it with ^ and $ before matching. i.e. if you
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast    Virus-Subject:  Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>, except that the header names are MAILFROM and RCPTTO only.
#
# e.g.
#
# [EMAIL PROTECTED]    Virus-MAILFROM: Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match
# actions against the IP address of the SMTP client.
#

EICAR.COM               69      EICAR Test Virus
Happy99.exe             10000   Happy99 Trojan
zipped_files.exe        120495  W32/ExploreZip.worm.pak virus
ILOVEYOU                Virus-Subject:  Love Letter Virus/Trojan
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,}                 Virus-Date:             MIME Header Buffer Overflow
.{100,}                 Virus-Mime-Version:     MIME Header Buffer Overflow
.{100,}                 Virus-Resent-Date:      MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
atka.net|[EMAIL PROTECTED] Virus-To:       BadTrans Trojan exploit!

#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
.vbs    0       VBS files not allowed per Company security policy
.lnk    0       LNK files not allowed per Company security policy
.scr    0       SCR files not allowed per Company security policy
.wsh    0       WSH files not allowed per Company security policy
.hta    0       HTA files not allowed per Company security policy
.pif    0       PIF files not allowed per Company security policy


# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# EOF


Kindly Advise

Regards,
Rick



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Enquiries

Reply via email to