File::Scan is a nice module but it is very slow compared something like clamav which uses the same open source virus database. | [reply] |
File::Scan does not use the open source virus database - As it is, File::Scan has a very limited number of definitions, approximately 100 or so, all of which are primarily implemented as regular expressions within the module file.
perl -le "print+unpack'N',pack'B32','00000000000000000000001010001100'"
| [reply] |
Hmm, well you might be right that it does not use the entire open source database, but if you compare File::Scan's signature.txt and the virus.db of clamscan, they are almost the same, except for some formatting. As a matter of fact, when I first played with File::Scan, I imported the open source virus database into it's signature's.txt file. With such a huge signature file, File::Scan was so slow it was unusable, where clamav remained quite fast. Virus scanning is still best done with c.
| [reply] |
And if you don't have the desire, put this in your .procmailrc.
################################################
# DELETE ANYTHING WITH EXCECUTABLE ATTACHMENTS
ext = "\.(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|\
c(an|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|d(at|e?b|ll|o[ct])|\
e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\
j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|\
m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\
p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|\
r(a[mr]|eg|pm|tf)|s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|\
t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\
w(av|m[szd]|p(d|[0-9]?)|s[cfhz])|x(al|[pb]m|l[stw])|z(ip|oo))"
:0
* $ ^Content-type:.*(multipart/|message/rfc822)
{
:0
* HB ?? $ ^Content-(Type|Disposition):.*name=.*${ext}
{
LOG="# Detected executable attachment, the following mail was
+deleted:
"
:0 h
/dev/null
}
}
It doesn't actually cope with all possible cases according to RFC (and let's not forget broken mailers), but so far has caught 96% of the stuff I get, which is good enough for me.
Makeshifts last the longest.
| [reply] [d/l] |