Arthur Corliss wrote: >On Fri, 18 Feb 2005, David Eisner wrote: > > > >>I just received an interesting virus. It's a fake bounce with an >>attachment named letter.zip. It made it through mimedefang (2.49) >>unscathed. >> >>I unzipped letter.zip, which contained a single file, named . . . >>letter.zip (kind of like Russian dolls). >>I unzipped the interior letter.zip, which contained a Letter.pif. It >>appears to be Win32.Mydoom.am (according to Kasperky.com): >>http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056 >> >>Am I correct that mimedefang will not recursively unzip files when >>searching for harmful attachments? >> >> > >Mimedefang may not recursively unzip attachments, but if you're using a >scanner like Clamav with it, that should handle and stop viruses like that >from getting through. >
I'm not suggesting the behavior of Mimedefang is wrong, I just want to make sure I understand what it's doing. The problem is that in general there is a delay between the time a virus outbreak occurs, and the time that virus scanners have updated DATs that detect it. That's one of the great things about Mimedefang -- it removes the potentially harmful attachment during this window. In our case, we're using McAfee Virusscan. Oddly, it still doesn't detect this worm. -David --------------------------------------------------------- D a v i d E i s n e r c r a d l e @ u m d . e d u CALCE EPSC University of Maryland _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
