E-mail scan with McAfee

[Nick Phillips]

On Wed, Nov 28, 2001 at 05:02:27PM +0000, Bruce Huang wrote:

> Thanks for your advise.  I notice this one, too.  One problem is:  it
> breaks down into two messages:  one with the mail message id,
> fAP9dDCc007036,  and the other is opt which I beleive taking from the full
> path of this
> file /opt/local/mailscanner/var/incoming/fAP9dDCc007036/Spa_paper1.doc.com,
> when McAfee scanned this virus.  For more detail, I spot a message on
> console when McAfee found the virus:
>
> cp: cannot access /opt/local/mailscanner/var/incoming/opt

As in "on the console from which you started mailscanner"?

> By testing with sophos, there is no such break down.

So presumably mcafee is doing something odd.

> >The report:
> >
> >The following e-mail messages were found to have viruses inside the
> >attachement:
> >
> >   Sender: <X>
> >Recipient: <Y>
> >  Subject: Spa paper 1
> >MessageID: fAP9dDCc007036
> >   Report: Attempt to hide real filename extension in Spa paper1.doc.com
> >
> >   Sender:
> >Recipient:
> >  Subject:
> >MessageID: opt
> >   Report: /opt/local/mailscanner/var/incoming/fAP9dDCc007036/Spa paper
> >1.doc.com        Found the W32/SirCam at MM virus !!!

Does this all appear in the same mail, or in two separate ones?


> >The system log
> >
...
> >Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Scanning 1
> >messages, 217558 bytes
> >Nov 26 08:01:54 hudson.geog.utoronto.ca mailscanner[18965]: Going to scan 1
> >messages
...
> >Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found possible
> >filename hiding in 2.doc.com

Was the filename originally this? Or is something failing to handle spaces
in filenames correctly? (looks like it might have been "Something 2.doc.com")

> >Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Found 2 viruses
> >in messages opt,fAQD1KCc019684

This looks like maybe something has created an extra file/directory in
mailscanner's working area - McAfee, no doubt. As to why, I'm not sure.

How are you calling McAfee? Are you using the mcafeewrapper script? What
is your "Sweep" option set to in your mailscanner.conf?

> >Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
> >infections to /var/spool/MailScanner/quarantine/20011126/opt
> >Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Saved
> >infections to /var/spool/MailScanner/quarantine/20011126/fAQD1KCc0196
> >84
> >Nov 26 08:01:55 hudson.geog.utoronto.ca mailscanner[18965]: Deleting
> >unparsable message opt from queue

Again, looks like mcafee's been dumping extra files somewhere.



Cheers,


Nick

--
Nick Phillips -- nwp at lemon-computing.com
The time is right to make new friends.