Re: [Exim] Regex for catching RAR flavour of Bagle/beagle

Góra strony
Delete this message
Reply to this message
Autor: Adam D. Barratt
Data:  
Dla: Exim users mailing list
Temat: Re: [Exim] Regex for catching RAR flavour of Bagle/beagle
On Friday, March 19, 2004 12:58 PM, Bruce Richardson <itsbruce@???>
wrote:

> On Fri, Mar 19, 2004 at 01:40:46PM +0100, Marcin Owsiany wrote:
>> Might be useful for someone...

[...]
> The exiscan patch plus a decent av scanner (e.g. clamav) are both more
> reliable and considerably less work than this method, imho. Less
> likely to give false positives, also.


We use a combination approach:

1) Log anything that looks like a password-encrypted zip / rar
2) Pass them through clamav via exiscan-acl (with databases updated every
two hours)
3) Freeze anything that clamav claims is clean, for further inspection

Of the half-dozen that have so far made it to step three, all have turned
out to contain a variant of Bagle.

Adam