[clamassassin-discuss] Rename virus file
James Lick
jlick at jameslick.com
Sun Feb 5 19:03:21 PST 2006
Maxime V wrote:
> Hi,
>
> I successfully filter virus attachement.
> I want now to still receive infected file, but i'd like to rename file
> (ex : nude-mp3.exe --> nude-mp3.exe.bad).
>
> How can i do that ?
>
>
You could probably use munpack and mpack to rebuild a mime message like
that.
There are some reasons you would not want to do it though:
- If you only rename the file and not the content-type, then the email
program will still open it as the original type.
- Even if you do change content-type, man email programs will try to be
smart and figure out what type it is for you.
- Viruses can be in the message body instead of as an attachment either
as uuencode or raw base64 file.
- Modern viruses do not infect real files or emails, they generate their
own independent emails.
- False positives are very rare.
If you are worried about losing legitimate mail, I would suggest
quarantining the mail to a separate mail file which you can review
periodically. You could also use something like the demime program to
remove attachments completely before passing them on or quarantining
them. I think you will find after some time that you never see any
useful messages in quarantine. I have been filtering for a long time
and the only 'real' messages it's caught are from people who forward an
infected message saying 'hey, I got this strange email. what is it?'.
--
James Lick -- 黎建溥 -- jlick at jameslick.com -- http://jameslick.com/
More information about the clamassassin-discuss
mailing list