[Avcheck] Bug in v.0.9
Michael Tokarev
mjt@tls.msk.ru
Thu, 03 Oct 2002 12:59:30 +0400
Piotr Klaban wrote:
[]
> If it can be helpful, this is a snipped from the /var/log/avpscan.log
Yes - it is very helpful. Thanks.
> <snip>
> Kaspersky Anti-Virus for Solaris started 02.10.2002 09:50:04
> Version 4.0.2.2
> Last update: 29.09.2002, 58683 records.
>
> Command line: -dl -f=/ctl /tst
> Profile (from 02.10.2002 09:49:55) /defUnix.prf
> ^M
;) When they learn how to remove ^Ms? ;)
> Query for the tests: <0>Oct 2 11:50:27:/tst/18560.tmp
>
> 02.10.2002 09:50:31 /tst/18560.tmp archive: Mail
> 02.10.2002 09:50:31 /tst/18560.tmp/[From: jsnujl <jsnujl@eio.e>]/html ok.
> 02.10.2002 09:50:34 /tst/18560.tmp/[From: jsnujl <jsnujl@eio.e>]/ppyxt.pif infected: I-Worm.Klez.h
> </snip>
>
> There IS a <tab> before string 'infected:' (also vefore 'archive:' and 'ok.')
Hmm - it should not output those "archive:" and "ok." strings at all. For this
very email, avcheck should extract "Archive: Mail ok. infected: I-Worm.Klez.h"
string that looks quite funny... ;)
Ok. Now I'm awaiting similar message from Varadi Gabor to see how it looks
like on his machine.
BTW, why don't you filter klez at smtp level using body_checks? The regexp
I (and others) posted several times works very well and it is fast since
pattern is anchored to the beginning of a string (iframe changed to ifrXame
to KAV from detecting a virus in this line):
/^<ifrXame src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please
(such a pattern should NOT occur in any normal email - iframe of size 0x0
pixels).
/mjt