Re: [Qmail-scanner-general]Unable to delete .pif virus

Mark Simon Powell Mon, 01 Sep 2003 13:22:52 +0000

On Mon, 1 Sep 2003, Rick wrote:

> I am running qmail-scanner + clamv antivirus. However, when i do a
> tail -f /var/spool/qmailscan/qmail-queue.log, it is not able to detect any
> virus comming thought.
> I have configured and launched everything properly (hopefully so).
> I would need some assistance to disable all *.pif, *.vbs and etc
> attachments.


You block attachments in /var/spool/qmailscan/quarantine-attachments.txt.
I've attached the one I'm using here. It will block most windows
executable attachments. It also blocks the attachments used by Sobig.F and
sets the reason to "SoBig.F virus attachment" which means the
silent-viruses function will spot this is caused by sobig and not send
reports back to the senders.
  Cheers.

-- 
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 4837  Fax: +44 161 295 5888  www.pgp.com for PGP key

# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited. 
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# Format: three columns
# 
# filename<TAB>size (in bytes)<TAB>Description of virus/whatever
#
# OR:
#
# string<TAB>Header<TAB>Description of virus/whatever
# 
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With 
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe  0       Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3  0       MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use  this to ban any file (i.e. *.*) that's over 
# a certain size  - you should 
# "echo 10000000 > /var/qmail/control/databytes" 
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow 
# you to block Email viruses when you don't know anything else other than 
# there's a wierd Subject line (or From line, or X-Spanska: header, ...). 
# Note that it's a case-sensitive, REGEX string, and the system will 
# automatically surround it with ^ and $ before matching. i.e. if you 
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast    Virus-Subject:  Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and 
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>, except that the header names are MAILFROM and RCPTTO only.
#
# e.g.
#
# [EMAIL PROTECTED]     Virus-MAILFROM: Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match
# actions against the IP address of the SMTP client.
#

EICAR.COM               69      EICAR Test Virus
Happy99.exe             10000   Happy99 Trojan
zipped_files.exe        120495  W32/ExploreZip.worm.pak virus
ILOVEYOU                Virus-Subject:  Love Letter Virus/Trojan
message/partial         Virus-Content-Type:     Message/partial MIME attachments 
blocked by University Of Salford ISD policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,}                 Virus-Date:             MIME Header Buffer Overflow
.{100,}                 Virus-Mime-Version:     MIME Header Buffer Overflow 
.{100,}                 Virus-Resent-Date:      MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]     
  Virus-To:       BadTrans Trojan exploit!

# Block the SoBig.F virus attachments

your_document.pif       0       SoBig.F virus attachment
document_all.pif        0       SoBig.F virus attachment
thank_you.pif   0       SoBig.F virus attachment
your_details.pif        0       SoBig.F virus attachment
details.pif     0       SoBig.F virus attachment
document_9446.pif       0       SoBig.F virus attachment
application.pif 0       SoBig.F virus attachment
wicked_scr.scr  0       SoBig.F virus attachment
movie0045.pif   0       SoBig.F virus attachment

#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
.vbe    0       VBE files not allowed per University Of Salford ISD security policy
.vbs    0       VBS files not allowed per University Of Salford ISD security policy
.lnk    0       LNK files not allowed per University Of Salford ISD security policy
.scr    0       SCR files not allowed per University Of Salford ISD security policy
.wsh    0       WSH files not allowed per University Of Salford ISD security policy
.hta    0       HTA files not allowed per University Of Salford ISD security policy
.pif    0       PIF files not allowed per University Of Salford ISD security policy
.exe    0       EXE files not allowed per University Of Salford ISD security policy
.com    0       COM files not allowed per University Of Salford ISD security policy
.bat    0       BAT files not allowed per University Of Salford ISD security policy
.cmd    0       CMD files not allowed per University Of Salford ISD security policy
.cpl    0       CPL files not allowed per University Of Salford ISD security policy
.mhtml  0       MHTML files not allowed per University Of Salford ISD security policy
.ceo    0       CEO files not allowed per University Of Salford ISD security policy
.cnf    0       CNF files not allowed per University Of Salford ISD security policy
.ins    0       INS files not allowed per University Of Salford ISD security policy
.scf    0       SCF files not allowed per University Of Salford ISD security policy
.sct    0       SCT files not allowed per University Of Salford ISD security policy
.shb    0       SHB files not allowed per University Of Salford ISD security policy
.shs    0       SHS files not allowed per University Of Salford ISD security policy
.xnk    0       XNK files not allowed per University Of Salford ISD security policy


# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# EOF

Re: [Qmail-scanner-general]Unable to delete .pif virus

Reply via email to