If anyone's interested here is a modification to sophie so that when a
password protected archive (like Bagle-H) is scanned it will flag it as
a virus. Q-S now detects it as "Error: File was encrypted" and
quarantines it. Here is the alteration to sophie_core.c in the case
SOPHOS_SAVI_ERROR_FILE_ENCRYPTED:
case SOPHOS_SAVI_ERROR_FILE_ENCRYPTED:
sophie_print(0, "%s %s", WARNSTR,
SOPHIE_SAVI_ERROR_FILE_ENCRYPTED);
strncpy(ret_error_string,
SOPHIE_SAVI_ERROR_FILE_ENCRYPTED, sizeof(ret_error_string)-1);
sophie_log_virus(scan_file, scan_results);
#ifdef ONLY_FATAL_ERRORS
retval = 0;
#else
retval = 1;
#endif
break;
The only changes are adding the "sophie_log_virus..." line and changing
"retval = -1;" to "retval = 1;"
---
Ed
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Jason Haar
> Sent: Tuesday, March 02, 2004 3:53 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Qmail-scanner-general]Bagle-h and password
> protected ZIP files
>
>
> On Wed, 2004-03-03 at 07:17, CertaintyTech-Ed wrote:
> > Anyone else seeing the Bagle-H virus getting thru? I am
> using Q-S and
> > sophie and it is not stopping them. Sophie sees that the
> ZIP file is
> > password encrypted so can't check it for viruses and Q-S
> goes ahead and
> > passes it thru. Does anyone know of any way to catch this
> one? For now
> > I am blocking all ZIP attachments...
>
> Please let me know when you find ANY e-mail AV system that can catch
> this virus... i.e. I don't think so. I know there's one that "catches"
> it by looking at the content of the text part of the message - before
> the actual zip attachment - but that doesn't really count.
>
> Password protected zip files - and people still get infected!
> When will
> the naivety end?
>
> This is why we have the phrase "defense in depth". Run e-mail
> AV systems
> to get rid of 99% of your viruses, but you still need to run nightly
> scans over old e-mails (to catch the Day Zeros that got through
> earlier), and you definitely still need to run AV on
> workstations (which
> would catch this particular one - as once the user unlocks the virus,
> their AV can detect it).
>
> Obviously such a luxury is appropriate for corporations, but is
> impossible to mandate for ISPs/etc...
>
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
