I would like to start using this, but I'm not sure from the docs how to set
it up. I'm using Dr. Solomon. Can someone post a sample of the appropriate
config files with a little documentation.
Thanks,
_M
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gary K. Cuppett
Sent: Friday, March 23, 2001 8:54 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Investigative Reporting???
Declude Virus 1.16b
McAfee Scanner
... on a test system I un-mimed about 150 virused
e-mails, scanned them and discovered a pattern.
Given the selected output below, the only reliable
setting you should use in your config file is
"REPORT Found" (without the quotes).
Found the W32/Navidad trojan !!!
Found the W97M/Thus.gen virus !!!
Found virus or variant W97M/Thus.gen !!!
Found: EICAR test file NOT a virus.
Note: There may be other variations on what
gets logged in the McAfee report file that I've
not encountered yet.
You should not use "REPORT Found:" -or-
"REPORT Found: " ... they will not match the
string returned when encountering real viruses ...
they ONLY match the EICAR test.
The string returned in %VIRUSNAME%, for each
example above, would then be:
the W32/Navidad trojan !!!
the W97M/Thus.gen virus !!!
virus or variant W97M/Thus.gen !!!
: EICAR test file NOT a virus.
Not particularly pretty so what I did was
change my EML files to accomodate the McAfee
retoric, something like:
Your e-mail was scanned and the scanner reported:
Found%VIRUSNAME%
In this way, I've inserted the word "Found" back
into the McAfee sentence so it at least looks right.
Declude.exe --could-- isolate just the virus name
itself but I suspect that would be a --LOT!-- of work
for Scott.
Anyway, %VIRUSNAME% seems to be working perfectly now.
While testing I noticed the %VIRUSFILE% variable remains broken.
It appears, in the McAfee report file, that the file name
is always in the line preceeding the "Found" line and
is the last thing on the line after the last backslash(\)
character.
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail ]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
[ This E-mail came from the Declude.Virus mailing list. To ]
[ unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]
[ type "unsubscribe Declude.Virus yourname". You can E-mail ]
[ [EMAIL PROTECTED] for assistance. You can visit our web ]
[ site at http://www.declude.com . ]
