-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I came across this paper which could be useful. Here it is:
http://www.fsl.cs.sunysb.edu/docs/avfs-security04/index.html#tthFtNtAAB On Oct 16, 2007, at 3:10 PM, Sean McGlynn wrote: > Thank you for your reply. > > I appreciate your point, but in our environment the directories > being scanned are user directories where only data files are > stored. There is no risk to applications or other running processes. > > > ----- Original Message ---- > From: Derick Centeno <[EMAIL PROTECTED]> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Sent: Tuesday, October 16, 2007 2:39:58 PM > Subject: Re: [Clamav-users] Quarantine Infected Files Discovered by > Clamuko > > > * PGP Signed by an unmatched address: 10/16/07 at 14:40:06 > > Having a script parse the log file is not the problem. The > documentation addressing the details of Clamav explain clearly that > removing the infected file or files are the difficulty especially as > the infected files may be key components or data files of email > clients and/or other sensitive applications. > > It is never a good idea to have a script do a task which requires > introspective analysis. In brief, do you really want to destroy an > application you may need, to remove a virus or infection you don't? > As each client or sensitive application implements it's task there > cannot be a one task script or method which will work across all > situations without risking damage to the working application. > Unfortunately the people writing the infections know this as well; > there is no way to automate an appropriately intelligent strategy for > every real-world contingency. > > However, if one tasks time as a careful perhaps as a medical surgeon > the chance may be good that you can remove the infection and if > necessary reinstall or rebuild the application anew. > > On Oct 16, 2007, at 1:43 PM, Sean McGlynn wrote: > >> I read in another post that the only way to quarantine an infected >> file that is discovered during an on access scan (i.e. via Clamuko) >> it to write a script that would parse the log file for the location >> of the infected file and then move it or delete it as desired. Is >> this correct? If not, what is the appropriate method. If so, does >> anyone have a good script already written that will perform this >> function. >> >> Thank you much. > > > * Derick Centeno <[EMAIL PROTECTED]> > * 0xC2AF471C:0x9A5C3BED(L) > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > > > > ______________________________________________________________________ > ______________ > Yahoo! oneSearch: Finally, mobile search > that gives answers, not web links. > http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: Secured via PGP Charset: US-ASCII wj8DBQFHFTBPlJjrgZpcO+0RAt2OAKDXLJvLq8UmnCANjQr4E8+B6cgerQCfYz3l 4HIKfaK1f0FpmYyg5sv1yLo= =YVpg -----END PGP SIGNATURE----- _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
