Subject: Re: recommendations for virus/worm scanning software?
To: Michael Wolfson <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 09/20/2003 13:11:28
[ On Saturday, September 20, 2003 at 01:34:55 (-0700), Michael Wolfson wrote: ]
> Subject: recommendations for virus/worm scanning software?
> I've been slammed with a ton of worms the past two days. What do y'all
> recommend I use from pkgsrc to block them (using postfix)?
If I'm not too confused over all the various Postfix version versions I
think you can use the following regex with the most recent version
available in pkgsrc, in a content filter, to block almost any possible
executable worm or virus (but not macro/VB worms -- you need to block
all attachments to do that; this RE apparently just meatches a
MIME/BASE64 encoded W32 ELF header):
This one is a little less agressive than blocking all attachments, but
does a reasonable job of blocking files that are _labeled_ as executable
(W32 apparently doesn't care what the filename extension is any more):
(watch out with cut&paste -- there are tabs in there!)
^[ ]*content-(disposition|type).*name[ ]*=[ ]*"?(.*\.(386|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[ ]*$
Also: don't run M$ Windoze. (no smiley -- I'm very serious.)
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <email@example.com>
Planix, Inc. <firstname.lastname@example.org> Secrets of the Weird <email@example.com>