On Fri, 21 Nov 2003 at 18:27 GMT, Derrick 'dman' Hudson penned: > On Fri, 21 Nov 2003 14:10:16 +0100, Arnt Karlsen wrote: >> On Thu, 20 Nov 2003 17:14:41 -0700, "Monique Y. Herman" >> <[EMAIL PROTECTED]> wrote in message >> <[EMAIL PROTECTED]>: >> >>> On Thu, 20 Nov 2003 at 21:12 GMT, Arnt Karlsen penned: >>> > >>> > ..other wintendo compiler and virus signatures, anyone? >>> > >>> >>> filename\=.*\.(pif|scr|exe|bat|com|vbs) > > Be aware that this is incomplete and could also yield false positives. > Just suppose, for a dumb off-the-top-of-my-head example, I send a file > to you named "shell.commands". You'll reject it as being an MS > executable. That's the false positive portion. You need to anchor > the pattern, according to MIME rules, but then you need lots of > variation due to variations allowed in the MIME rules. Your list of > extensions is also about 3 or 4 times as short as the more complete > ones I've seen on the web. To be truly accurate, you need an actual > MIME parser, not a regex here.
Hrm. I'm using the above line within tmda, and I'm pretty sure (although not 100% sure) that, the way I use it, it only looks for lines that *end* in those extensions. The rule is: body 'filename\=.*\.(pif|scr|exe|bat|com|vbs)' drop No, it's not perfect, but it works for most everything I've had to deal with. Anyway, I didn't expect that I would be the only one to answer the question ... I expected to see a lot of people chiming in, if only to mention "you forgot extension .foo," etc. If you know of other extensions that should be blocked, by all means, share them. >> ..thanks Monique, that I guess leaves "other wintendo compiler >> signatures, anyone?". ;-) >> >> ..does anyone have a good guess which compiler was used compiling >> Swen? > > MSVC. (Microsoft Visual C / C++, aka Visual Studio) What else would > a windows person use? (Ok, Borland perhaps. I wouldn't be surprised > if that generated the same "this app needs windows, not dos" header) > > -D > -- monique PLEASE don't CC me. Please. Pretty please with sugar on top. Whatever it takes, just don't CC me! I'm already subscribed!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
