Re: antivirus recomendation?

To: debian-user@lists.debian.org
Subject: Re: antivirus recomendation?
From: "Monique Y. Herman" <spam@bounceswoosh.org>
Date: Tue, 25 Nov 2003 14:49:08 -0700
Message-id: <[🔎] slrnbs7jik.66j.spam@home.bounceswoosh.org>
Mail-followup-to: debian-user@lists.debian.org
References: <[🔎] 20031120155900.GG14411@barnyard.sweetpig.dyndns.org> <[🔎] 14gv81-ihr.ln1@dman13.dyndns.org> <[🔎] 20031120221257.71c6f9b4.arnt@c2i.net> <[🔎] slrnbrqm7h.78v.spam@home.bounceswoosh.org> <[🔎] 20031121141016.467f91ac.arnt@c2i.net> <[🔎] s02291-u38.ln1@dman13.dyndns.org>

On Fri, 21 Nov 2003 at 18:27 GMT, Derrick 'dman' Hudson penned:
> On Fri, 21 Nov 2003 14:10:16 +0100, Arnt Karlsen wrote:
>> On Thu, 20 Nov 2003 17:14:41 -0700, "Monique Y. Herman"
>> <spam@bounceswoosh.org> wrote in message
>> <[🔎] slrnbrqm7h.78v.spam@home.bounceswoosh.org>:
>> 
>>> On Thu, 20 Nov 2003 at 21:12 GMT, Arnt Karlsen penned:
>>> > 
>>> > ..other wintendo compiler and virus signatures, anyone?
>>> > 
>>> 
>>> filename\=.*\.(pif|scr|exe|bat|com|vbs)
> 
> Be aware that this is incomplete and could also yield false positives.
> Just suppose, for a dumb off-the-top-of-my-head example, I send a file
> to you named "shell.commands".  You'll reject it as being an MS
> executable.  That's the false positive portion.  You need to anchor
> the pattern, according to MIME rules, but then you need lots of
> variation due to variations allowed in the MIME rules.  Your list of
> extensions is also about 3 or 4 times as short as the more complete
> ones I've seen on the web.  To be truly accurate, you need an actual
> MIME parser, not a regex here.

Hrm.  I'm using the above line within tmda, and I'm pretty sure
(although not 100% sure) that, the way I use it, it only looks for lines
that *end* in those extensions.  The rule is:

body 'filename\=.*\.(pif|scr|exe|bat|com|vbs)' drop

No, it's not perfect, but it works for most everything I've had to deal
with.

Anyway, I didn't expect that I would be the only one to answer the
question ... I expected to see a lot of people chiming in, if only to
mention "you forgot extension .foo," etc.  If you know of other
extensions that should be blocked, by all means, share them.

>> ..thanks Monique, that I guess leaves "other wintendo compiler
>> signatures, anyone?".  ;-)
>> 
>> ..does anyone have a good guess which compiler was used compiling
>> Swen?
> 
> MSVC.  (Microsoft Visual C / C++,  aka Visual Studio)  What else would
> a windows person use?  (Ok, Borland perhaps.  I wouldn't be surprised
> if that generated the same "this app needs windows, not dos" header)
> 
> -D
> 


-- 
monique
PLEASE don't CC me.  Please.  Pretty please with sugar on top.
Whatever it takes, just don't CC me!  I'm already subscribed!!

Reply to:

References:
- antivirus recomendation?
  - From: Stephen <dallan@rogers.com>
- Re: antivirus recomendation?
  - From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>
- Re: antivirus recomendation?
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: antivirus recomendation?
  - From: "Monique Y. Herman" <spam@bounceswoosh.org>
- Re: antivirus recomendation?
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: antivirus recomendation?
  - From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>

Prev by Date: Frozen mouse and keyboard in new Woody installation
Next by Date: Re: apt-get update not working properly 11/21/03
Previous by thread: Re: antivirus recomendation?
Next by thread: False-positive virus detection (was Re: antivirus recomendation?)
Index(es):
- Date
- Thread