>... on a test system I un-mimed about 150 virused
>e-mails, scanned them and discovered a pattern.
>Given the selected output below, the only reliable
>setting you should use in your config file is
>"REPORT Found" (without the quotes).
Good job! It's too bad that McAfee doesn't keep things the same for the
eicar.com file (the whole point of the eicar.com file is to simulate what
happens when a virus goes through, so you know what to expect).
>Declude.exe --could-- isolate just the virus name
>itself but I suspect that would be a --LOT!-- of work
>for Scott.
<G> Yes, that would be a lot of work. Perhaps a couple of quick checks,
like getting rid of "the " if it exists, and "!!!" (someone at McAfee was
excited that they found a new virus).
>While testing I noticed the %VIRUSFILE% variable remains broken.
This should be fixed in v1.16c, which I have just released. Of course,
some extra debugging code has been added just in case there continue to be
problems with it, but I think it should be fine now.
For those that don't know, the problem is that Declude doesn't use the file
name that is given in the E-mail, just to prevent nasty things like people
uploading a file named "C:\Winnt\windows.exe" or "lpt1:". Rather than
search for all known security holes, Declude simply uses a number and the
extension given in the E-mail (IE 1.com). So, if a virus is found, the
report.txt file will show "1.com" as the file name, which is meaningless to
the recipient. When Declude sees the file name as 1.com, it has to
cross-reference with the file name that was listed in the E-mail, so you
see "eicar.com" instead of "1.com".
-Scott
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail ]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
