l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2003 Sep 23 22:50

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] the answer to all my virus problems
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] the answer to all my virus problems



On 2003.09.20 14:56, p@dirac.org wrote:
roland smith, whom i met while googling shared a *wonderful* procmail
recipe that catches windows viruses.  it's made my life bearable.
here
it is:



# Broad antivirus recipe:
#
# It looks at the contents of attachments. The 2nd condition is the
header of
# a win32 exe encoded with the base64 algorithm. No matter how the
virus is
# named, that header MUST have this specific form, or it won't be
recognized
# by windows as an executable.  So every attachment that starts with
# TVqQAAMAAAAEAAAA//8AALg is a win32 program and a potential virus.
The 3rd
# condition is the string "this program cannot be run in MS-DOS mode"
encoded
# in base64.  It's there just to be sure, and avoid false positives.
#
:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
* 4fug4AtAnNIbg
{
	LOG="[virus: win32 exe]     "

	:0
	DUMP
}


just cut and paste into .procmailrc and your 99E999 swen viruses per
day
wil be placed into $MAILDIR/DUMP (or /dev/null if that's what you
want).


the guy had some good procmail recipes on his website:

http://www.xs4all.nl/~rsmith/spamblock.html
This rule will be useless on UC Davis email accounts except possibly in the first couple hours of an attach. UC Davis uses MIMEDefang on all of its incoming emails, so the attachment was stripped but the messages kept propagating to my email address. Unfortunately, MIMEDefang doesn't seem to leave any indication behind when it removes something, so I couldn't grep for that. For the W32.Swen.A@mm, I just grep for some of the data in its images (Spamassassin's bayenessian filter wasn't doing such a good job of stopping this virus from appearing in my inbox):

# Filter away the (MimeDefang'ed) W32.Swen.A@mm virus
:0 B:
* ^zIGArlZWu25ux319xWpqnnNzppaWy46
* ^3EWC31mS40Zxr4uw6LXN8iZkuXmn5
* ^Content-transfer-encoding: base64
probably-virus/.


--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 6/10/2003. If you use GPG, *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***

Attachment: pgp00011.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.