# Sample of well-known viruses that perlscan_scanner can use # # This is case-insensitive, and TAB-delimited. # # Format: three columns # # filenamesize (in bytes)Description of virus/whatever gone.scr 38912 WORM_GONE.A Virus # 2001.12.5 # .pif 29020 WORM_BADTRANS.B Virus .scr 29020 WORM_BADTRANS.B Virus # whatever.exe 4096 WORM_ALIZ.A Virus # OR: # # stringHeaderDescription of virus/whatever # # [this one allows you to match on (e.g.) Subject line. # # NOTE 1: This is the crudest "virus scanning" you can do - we are # arbitrarily deciding that particular filenames of certain sizes contain # viruses - when they may not. However this can be useful for the times # when a new virus is discovered and your scanner cannot detect it (yet). # # NOTE 2: This is only good for picking up stand-alone viruses like the # following. Macro viruses are impossible to detect with this method as # they infect users docs. # # NOTE 3: Wildcards are supported. This system can also be used to deny # Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other # wildcard type is supported. Be very careful with this feature. With # wildcards, the size field is ignored (i.e. any size matches). # # .exe 0 Executable attachment too large # # That would ban .EXE files from your site (but would # still allow .zip files... # # .mp3 0 MP3 attachments disallowed # # ...would stop any Email containing MP3 attachments passing. # # NOTE 4: No you can't use this to ban any file (i.e. *.*) that's over # a certain size - you should # "echo 10000000 > /var/qmail/control/databytes" # to set the maximum SMTP message size to 10Mb. # # NOTE 5: The second option allows you to match on header. This would allow # you to block Email viruses when you don't know anything else other than # there's a wierd Subject line (or From line, or X-Spanska: header, ...). # Note that it's a case-sensitive, REGEX string, and the system will # automatically surround it with ^ and $ before matching. i.e. if you # want wildcards, explicitly put them in... # # The string _must_be_ "Virus-" followed by the header you wish to match # on - followed by a colon (:). # # e.g. # # Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus # # will match "Subject: Pickles for Breakfast" - and # not "Subject: Pickles - where did you go?" # # #The following matches Date: headers that are over 100 chars in length #these are impossible in the wild .{100,} Virus-Date: Date Buffer Overflow trojan # .ade 0 Access Project Extension .adp 0 Access Project .bas 0 Visual Basic Class Module .bat 0 COMMAND.COM batch file .btm 0 JP Software fast batch file .chm 0 Compiled HTML help file .cmd 0 cmd.exe NT batch file .com 0 Non relocable MSDOS executable binary .cpl 0 Control Panel library .crt 0 Security Certificate .css 0 Cascading Style Sheets .dll 0 Windows Dynamic Link Library .exe 0 Executable binary .hlp 0 Windows Help File .hta 0 HTML Application .inf 0 Setup Information file .ins 0 Internet Communication Settings .isp 0 Internet Communication Settings .js 0 JavaScript .jse 0 JavaScript Encoded .lnk 0 Windows Explorer links .mdb 0 Acess Application .mde 0 Access MDE Database .msc 0 Common Console Document .msi 0 Windows Installer Package .msp 0 Windows Installer Patch .mst 0 Visual Test Source File .nls 0 National Language Support .pcd 0 Photo CD Image .pif 0 Windows Program Information Files .reg 0 Windows Registry file .scr 0 Screen Saver .sct 0 Scriptlet File .shb 0 Shell Scrap object .shs 0 Shell automation code .url 0 Internet Shortcut (Uniform Resource Locator) .vb 0 Script Script File .vba 0 Visual Basic Application .vbe 0 VisualBasic Encoded .vbs 0 Visual Basic Script .wsc 0 Windows Script Component .wsf 0 Windows Scripting File .wsh 0 Windows Scripting Host # EICAR.COM 70 EICAR Test Virus Happy99.exe 10000 Happy99 Trojan zipped_files.exe 120495 W32/ExploreZip.worm.pak virus ILOVEYOU Virus-Subject: Love Letter Virus/Trojan # EOF