At 9:54 AM +0100 7/14/09, sanesecurity@xxxxxxxxxxxx wrote:
Sebastian Berm wrote:Wouldn't it just be a better idea to implement something like this before the signatures are even distributed to the mirrors? I do agree with you, it would be a nice option, however, I also agree with Bill that the script is slowly becoming a swiss army knife...If any of the emails that are scanned are then flagged up as infected by one of the new signatures you could spit out a fatal warning and not apply the new sigs.Rather, I am planing to simply strip the signatures that do not meet the user's minimum character requirements and possibly place them into a temporary file for viewing and maybe even log the occurrence to the log file.That's not a very good solution. All that does is stop small domains being listed. It doesn't stop domains like facebook.com being listed. A *much* better solution would be to give the user an option to scan a folder(s) of their selection before rolling them out.Not really bad, but perhaps it should be a plugin or something.I think the "com" listing and the "acebook.com" listing from less than 2 months ago prove that there should be some sort of checking against ham in the main script. It shouldn't be a particular difficult thing to implement as all you have to do is run a "clamscan -d /path/to/new/signatures /path/to/some/ham" and parse the output. Unfortunately I'm not that great on shell scripting. If it was perl, I'd write a patch and submit it.
Mike,Please contribute a perl script to do that. Folks can either use or not and Bill and Gerard could incorporate or not.
Tom
