Re: [exim] How to debug malware

Góra strony
Delete this message
Reply to this message
Autor: Nigel Wade
Data:  
Dla: exim-users
Temat: Re: [exim] How to debug malware
Dennis Davis wrote:
> On Thu, 1 Dec 2005, Nigel Wade wrote:
>
>
>>From: Nigel Wade <nmw@???>
>>To: Exim users list <exim-users@???>
>>Date: Thu, 01 Dec 2005 15:27:59 +0000
>>Subject: Re: [exim] How to debug malware
>
>
> ...
>
>
>>My mime ACL was incorrect, and it was not performing the decode
>>= default. Now that I've fixed it as above it does the required
>>action of decoding the mime parts. When the data acl is actioned,
>>and the av_scanner is run, the decoded mime parts are all there
>>in separate files in the directory which is passed to the
>>av_scanner. Sophos sweep will now happily detect viruses both in
>>the entire message, and in the decoded parts.
>>
>>Thanks for supplying the correct syntax of the mime ACL.
>
>
> In an earlier message you said:
>
>
>>Sorry, I forgot to add that the av_scanner is:
>>
>>av_scanner = cmdline:\
>>              /usr/local/bin/sweep -ss -all -rec -archive %s:\
>>              found:'(.+)

>
>
> Note that Sophos sweep *won't* do any mime decoding unless you tell
> it to. So change the above to:
>
> av_scanner = cmdline:\
>                /usr/local/bin/sweep -ss -all -rec -archive -mime %s:\
>                found:'(.+)

>
> and try again. You may well find you don't need your mime ACL.
>
> It's *very* easy to miss this. It isn't documented in the manual
> page for Sophos sweep and the example in the exim specification
> doesn't include it. You only find it out by typing something like
> "sweep --help" to get a list of the options.


Thanks, I've already done this, someone mailed me off-list to tell me about this
option.



-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555