The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Virus - W32.Novarg.A@mm / Mydoom

Discussion in 'General Discussion' started by alareach, Jan 27, 2004.

  1. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SC
    What's the best tactic to filter this at the server level to prevent customer complaints?
     
  2. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    install mailscanner + clamav which will fileter this virus and others. It work greats
     
  3. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SC
    Thanks, I'll look for information on how to do this.
     
  4. Devil Inside

    Devil Inside Well-Known Member

    Joined:
    Apr 4, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    Speaking of mailscanner...

    when I make changes to the MailScanner.config - do I have to restart it?

    And how?
     
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Yes you need to restart:

    Killall -9 Mailscanner
    /usr/mailscanner/bin/check_mailscanner
     
  6. Budwron

    Budwron Member

    Joined:
    Aug 25, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Is mail scanner and clamav and add-on to exim our it's a switch ?
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Its an addon. Exim is still the MTA, Mailscanner scans and clamav is the AV system.
     
  8. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SC
    As terribly lazy as it sounds, is there a how-to or install guide on how to do this anywhere that anyone is aware of? I'd love to offer this feature to clients. Thanks.
     
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    How to install mail scanner from layer1:

    wget http://layer1.cpanel.net/mailscanner-autoinstall-1.5.tar.gz

    tar zxvf mailscanner-autoinstall-1.5.tar.gz

    cd mailscanner*
    ./install

    If you find it pauses on installing perl mods for to long, you will need to install these manually.

    First Ctrl c out of the installer

    pico -w install

    Comment out these lines w/ a #

    Code:
    print "Installing Perl Modules...";
    ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML::Tagset","HTML::Parser","MIME::Tools","File::Temp","Convert::TNEF");
    print "Done\n";
    So they look like this:

    Code:
    #print "Installing Perl Modules...";
    #ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML::Tagset","HTML::Parser","MIME::Tools","File::Temp","Convert::TNEF");
    #print "Done\n";
    Then install the above modules via WHM's Perl Module installer, and finish the install ./install
     
  10. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SC
    Thank you so much!
     
  11. mfragoso

    mfragoso Active Member

    Joined:
    Oct 17, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico City
    cPanel Access Level:
    Root Administrator
    Another way to get rid of it...

    Since last thursday I installed the following rule inside antivirus.exim:



    if $message_body: contains "Windows-1252"
    then
    fail text "Message rejected, looks like Novarg Virus"
    seen finish
    endif


    It looks that will catch more than that virus, however is rare to see a charset definition inside the body, especially withe the windows-1252 value.
    Worked for me, I hope works for you to.
     
  12. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Re: Another way to get rid of it...

    When you say it's 'rare', what type of mail is that? Junk? Or International?

    Seems a bit of a broad stroke. Though, if it works, it might be good.
     
  13. mfragoso

    mfragoso Active Member

    Joined:
    Oct 17, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico City
    cPanel Access Level:
    Root Administrator
    About the charset

    Rare in all senses....

    Windows 1252 is used on European languages (french, spanish, dutch, etc.). However I run several servers in latin america and none of them use it as default (maybe because our spanish and your american english is is iso 8859-1 based by default).

    Additionaly, the charset header is commonly used not in the body but in the header. So the rule won't catch most of the "European" messages.

    I have filtered those messages and this rule has been working flawlessly with over 1000 domains and no false bounces at all....

    I am not saying this is a replacement for an antivirus solution... just a quick and dirty fix, and that you can save some bandwith and resources while looking for another solution.
     
  14. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Thanks

    I'll give it a try till I can get my ClamAV to scan zip files.
     
  15. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Great install tip!

    In case mailscanner does not work or srews something up, what is a procedure to uninstall it?

    Regards,
    Cretu
     
  16. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    I had to uninstall it yesterday and just browsed to the directory and ran the uninstall script "./uninstall".

    IF YOU ARE RUNNING A FREEBSD SERVER, WHATEVER YOU DO, DO NOT INSTALL THIS SCRIPT!!!!!!!!!
     
  17. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    Is there a way to disregard the infected messages, rather then clean them up and still send it to the recipient?
     
  18. tomsyer

    tomsyer Active Member

    Joined:
    Aug 5, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    /usr/mailscanner/etc/MailScanner.conf is the config file

    you can disable it there
     
  19. tomsyer

    tomsyer Active Member

    Joined:
    Aug 5, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    # Notify the local system administrators ("Notices To") when any infections
    # are found?
    # This can also be the filename of a ruleset.
    Send Notices = no
     
Loading...

Share This Page