E-mail scan with McAfee

Wed Nov 28 17:02:27 GMT 2001

Hello Ed,

Thanks for your advise.  I notice this one, too.  One problem is:  it
breaks down into two messages:  one with the mail message id,
fAP9dDCc007036,  and the other is opt which I beleive taking from the full
path of this
file /opt/local/mailscanner/var/incoming/fAP9dDCc007036/Spa_paper1.doc.com,
when McAfee scanned this virus.  For more detail, I spot a message on
console when McAfee found the virus:

cp: cannot access /opt/local/mailscanner/var/incoming/opt

By testing with sophos, there is no such break down.

Thanks for any advise.

Bruce

On Wed, 28 Nov 2001 09:29:01 -0600, Ed Ortiz <Edward_Ortiz at SSA-
SA.SEL.SONY.COM> wrote:

>Bruce, I think it is because the message triggered two "alerts" within
mailscanner. It first caught that it had a hidden extension, the .doc.com,
so it marks this as a virus, secondly McAfee found the Sircam virus, which
would be where the second alert comes in.  I've noticed that Mailscanner
flags any extensions that break the rules configured in filename.rules.conf
as a virus.  Hope this helps.
>
>Ed.
>
>>>> Bruce Huang <y.huang at UTORONTO.CA> 11/28/01 9:07:35 AM >>>
>Hi,
>
>I am new to MailScanner and need some advise.  I have
>MailScanner 2.60-2 with McAfee installed on Sun Solaris 2.7 with
>sendmail 8.12.1.  Everything seems woking fine except when system
>sights a file with virus, mailscanner think this with two files.
>Thanks for any advise in advance.
>
>Regards,
>
>Bruce
>
>
>p.s.  The following are the report I got:
>
>The report:
>
>The following e-mail messages were found to have viruses inside the
>attachement:
>
>   Sender: <X>
>Recipient: <Y>
>  Subject: Spa paper 1
>MessageID: fAP9dDCc007036
>   Report: Attempt to hide real filename extension in Spa paper1.doc.com
>
>   Sender:
>Recipient:
>  Subject:
>MessageID: opt
>   Report: /opt/local/mailscanner/var/incoming/fAP9dDCc007036/Spa paper
>1.doc.com        Found the W32/SirCam at MM virus !!!
>
>
>The system log
>
>Nov 26 08:01:29 hudson.geog.utoronto.ca sm-mta[19684]: fAQD1KCc019684:
>from=<X>, size=216456, class=0, nrcpts=1,
>msgid=<20011126133235.E6A8D1FD54 at bom6.vsnl.net.in>, proto=ESMTP,
>daemon=MTA, relay=bom6.vsnl.net.in [202.54.4.38]
>Nov 26 08:01:29 hudson.geog.utoronto.ca sm-mta[19684]: fAQD1KCc019684:
>to=<Y>, delay=00:00:07, mailer=esmtp, pri=250658, stat=queued
>
>Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
>to lock /var/spool/mqueue.in/qffAQD1KCc019684
>Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
>to lock >/var/spool/MailScanner/incoming/fAQD1KCc019684.header
>Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Scanning 1
>messages, 217558 bytes
>Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Going to scan 1
>messages
>Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Commencing
>scanning...
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Completed
>scanning
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found possible
>filename hiding in 2.doc.com
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found 2 viruses
>in messages opt,fAQD1KCc019684
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Scanned 1
>messages, 217558 bytes in 1 seconds
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
>infections to /var/spool/MailScanner/quarantine/20011126/opt
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
>infections to /var/spool/MailScanner/quarantine/20011126/fAQD1KCc0196
>84
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Deleting
>unparsable message opt from queue
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
>to lock >/var/spool/mqueue/dffAQD1KCc019684
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Using flock()
>to lock >/var/spool/mqueue/tffAQD1KCc019684
>Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: About to
>deliver 2 messages
>Nov 26 08:01:55 hudson.geog.utoronto.ca sendmail[19694]: fAQD1t6U019694:
>from=root, size=505, class=0, nrcpts=1,
>msgid=<200111261301.fAQD1t6U019694 at hudson.geog.utoronto.ca>,
>relay=root at localhost
>Nov 26 08:01:55 hudson.geog.utoronto.ca sendmail[19693]:
>fAQD1KCc019684: to=<Y>, delay=00:00:33, xdelay=00:00:00,
>mailer=esmtp, pri=340658, relay=cirque.geog.utoronto.ca.
>[128.100.66.10], dsn=2.0.0, stat=Sent (Data received OK.)