[clamassassin-discuss] Rename virus file

James Lick jlick at jameslick.com
Sun Feb 5 19:03:21 PST 2006


Maxime V wrote:

> Hi,
>
> I successfully filter virus attachement.
> I want now to still receive infected file, but i'd like to rename file 
> (ex : nude-mp3.exe --> nude-mp3.exe.bad).
>
> How can i do that ?
>  
>

You could probably use munpack and mpack to rebuild a mime message like 
that.

There are some reasons you would not want to do it though:

- If you only rename the file and not the content-type, then the email 
program will still open it as the original type.

- Even if you do change content-type, man email programs will try to be 
smart and figure out what type it is for you.

- Viruses can be in the message body instead of as an attachment either 
as uuencode or raw base64 file.

- Modern viruses do not infect real files or emails, they generate their 
own independent emails.

- False positives are very rare.

If you are worried about losing legitimate mail, I would suggest 
quarantining the mail to a separate mail file which you can review 
periodically.  You could also use something like the demime program to 
remove attachments completely before passing them on or quarantining 
them.  I think you will find after some time that you never see any 
useful messages in quarantine.  I have been filtering for a long time 
and the only 'real' messages it's caught are from people who forward an 
infected message saying 'hey, I got this strange email.  what is it?'.

-- 
James Lick -- 黎建溥 -- jlick at jameslick.com -- http://jameslick.com/


More information about the clamassassin-discuss mailing list