|
Arrrggg.
Mr. Obvious says if you rename the
win_netware_betadat.zip, wget will never find a file to compare it to and will
always download the update.
----- Original Message -----
Sent: Monday, September 12, 2005 5:34
PM
Subject: Re: [Declude.Virus] Seemingly
bad virus this morning
Scott and Andrew,
It does in fact work on my
system. I'm using Wget 1.8.1+cvs. The beta definitions do change
very frequently, so this might throw you off. Try executing a derivative
of the following command twice and see what happens (remove the line break and
adjust the paths):
C:\Progra~1\wget\wget --limit-rate=1000k
--progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
Matt
Scott
Fisher wrote:
-Matt,
Does the wget -N command work for you with
Mcafee.
I also use the -N and get the full download
every time.
-----
Original Message -----
Sent:
Monday, September 12, 2005 4:13 PM
Subject:
Re: [Declude.Virus] Seemingly bad virus this morning
Nice script, but the executables don't change regularly,
and many of us are using the command line version of McAfee that requires
an unvalidated download. This also doesn't get the beta
DAT's.
I use a script that calls both wget and WinZip's free
command line add-on (requires a registered WinZip). It is easy
enough to replace that with any other command line unzipping tool.
Personally I find WinZip to be perfectly reliable so I'm sticking with
it.
C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3
-N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
2>&1 | find "100%%"
IF ERRORLEVEL 1 GOTO
END
C:\Progra~1\WinZip\wzunzip -ybc
C:\Progra~1\McAfee\update\win_netware_betadat.zip
C:\Progra~1\McAfee\
:END
ENDLOCAL
Matt
Markus
Gufler wrote:
attached you can find a script (I'm not the creator
of this script but can't remember who's the genius) that will download
the superdats and also the dailydat-files, extract all necessary virus
definitiions and also engine updates, write any action to a logfile and
keep the downloaded superdats so that you can't revert manualy if it
would be necessary.
You need some command line tools like unzip and
wget and adapt the path information in the script for your
needs.
This script works on my server now for years and I
hope it will do so also if now a lot of people will run it on their
servers.
Markus
Hmm, yes.
Something along the lines
of:
and then parsing out the
line:
FileName=dat-4579.zip
or
DATVersion=4579
in order to construct the filename...
but it seems like re-inventing the wheel. The readme.txt talks
about a SuperDAT downloading mechanism, which sounds exactly like
the F-Prot GUI downloader.
Andrew 8)
Hi Matt -
Matt wrote:
I was wrong about what was detecting it first...it
was F-Prot. I just figured out that my McAfee update script
is no longer working. Does anyone have a newer link to the
daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.
This
link works -
ftp.nai.com
/pub/antivirus/datfiles/4.x
-Nick
Thanks,
Matt
John Tolmachoff
(Lists) wrote:
OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan Geiser
Sent: Monday, September 12, 2005 11:49 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Seemingly bad virus this morning
I opened the zip file and it contained one file called "1.cpl" (without
the
quotes). Some sort of malicious Control Panel applet?
----- Original Message -----
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Monday, September 12, 2005 11:55 AM
Subject: RE: [Declude.Virus] Seemingly bad virus this morning
What is the payload inside the zip?
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Monday, September 12, 2005 7:52 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Seemingly bad virus this morning
FYI, We found a rapidly spreading zip virus beginning at about 8:15
a.m.
this morning, first coming from Eastern Europe. McAfee seems to be
detecting all of them now, but F-Prot as of this moment is not on our
system. Every attachment name seemingly contained the word "price".
Here's a quick filter that I had put together for it:
HEADERS END NOTCONTAINS boundary="--------
BODY END NOTCONTAINS attachment; filename="
BODY END NOTCONTAINS .zip" Content-Transfer-Encoding
BODY 15 CONTAINS price
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
-------------------------------------------------------------------
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
-------------------------------------------------------------------
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|
