> But I would like to catch
> the virus emails that have Win exe, scr, bat, and the like for
attachments,
> but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
Sadly there really isn't one. People will tell you to simply use a more
appropriate tool for virus catching, like ClamAV. Of course I suspect this
still leaves lots of "I caught a vuirus!" messages that leak through. We
are working on a SARE ruleset to catch a great number of these for you.
In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a number
(but by no means all) viruses, and can be useful for various things.
However, it has been removed from 3.0. And while I agree with removing
binary attachments before scanning in SA, I consider that removing the
mime-part header that contained the type and name is a mistake. There have
been any number of times I've wanted to use that info for spam signs, and it
just isn't there.
Loren
