Filename rules and virus

Julian Field mailscanner at ecs.soton.ac.uk
Fri Nov 15 14:59:32 GMT 2002 

That's a subtle one. Fixed for the next release. In the mean time the patch 
is a 1-line change if you need this functionality in a hurry:

--- 
/root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm 
Fri Nov  8 16:13:58 2002
+++ MessageBatch.pm     Fri Nov 15 15:12:15 2002
@@ -607,6 +607,7 @@
      if ($message->{deleted} ||
          $message->{cantparse} ||
          $message->{badtnef} ||
+        $message->{nameinfected} ||
          ($message->{allreports} && $message->{allreports}{""}) ||
          !MailScanner::Config::Value('deliverdisinfected',$message)) {
        $message->DeleteMessage();


At 14:24 15/11/2002, you wrote:
>Hello,
>
>I just discovered something strange:  an email with an infected .EXE got
>trapped by MS and quarantined (as per the filename rules) but McAfee was
>able to disinfect it so MS decided to send it to the recipient,
>disregarding the filename rules!
>
>Nov 15 06:36:08 smtp3 MailScanner[29982]: New Batch: Scanning 1 messages, 
>207433 bytes
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Spam Checks: Starting
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus and Content Scanning: Starting
>Nov 15 06:36:08 smtp3 MailScanner[29982]: 
>/gAFBa4w14876/Server.exe        contient le virus W32/Magistr.b at MM !!!
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: mcafee found 1 
>infections
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: Found 1 viruses
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Filename Checks: Fichiers EXE 
>dangereux (Server.exe)
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Other Checks: Found 1 problems
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Saved infected "Server.exe" to 
>/quarantaine/usherbrooke/20021115/gAFBa4w14876
>Nov 15 06:36:08 smtp3 MailScanner[29982]: Cleaned: Delivered 1 cleaned 
>messages
>Nov 15 06:36:09 smtp3 MailScanner[29982]: Sender Warnings: Delivered 1 
>warnings to virus senders
>Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Attempting to 
>disinfect 1 messages
>Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: 
>to=source at sympatico.ca, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, 
>pri=30868, relay=smtp12.sy
>mpatico.ca. [209.226.175.80], dsn=5.1.1, stat=User unknown
>Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Rescan found only 
>0 viruses
>Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: gAFBa9K14887: 
>postmaster notify: User unknown
>Nov 15 06:36:09 smtp3 sendmail[14890]: gAFBa9D14890: 
>from=quarantaine at usherbrooke.ca, size=157267, class=0, nrcpts=1, 
>msgid=<200211151136.gAFBa9D14890 at smtp3.ush
>erbrooke.ca>, bodytype=8BITMIME, relay=root at localhost
>Nov 15 06:36:22 smtp3 sendmail[14893]: gAFBa9D14890: 
>to=destination at usherbrooke.ca, ctladdr=quarantaine at usherbrooke.ca (0/0), 
>delay=00:00:13, xdelay=00:00:
>13, mailer=relay, pri=187267, relay=c-s.usherbrooke.ca. [132.210.x.y], 
>dsn=2.0.0, stat=Sent (GAA150818 Message accepted for delivery)
>
>Can someone figure out what is going on?
>
>Denis
>--
>Denis Beauchemin, analyste
>Université de Sherbrooke, S.T.I.
>T: 819.821.8000x2252 F: 819.821.8045

-- 
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list