Possible F-Secure parsing problem

Maurizio Matteo Munafo' munafo at PREZZEMOLO.POLITO.IT
Sat Sep 7 10:04:20 IST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi.

I use f-prot and f-secure as virus scanning engines and I noticed that
sometime f-secure fails to report a virus. I use MailScanner 3.22.
The problem seems to be related to virus contained in files whose name is
parsed incorrectly (also from f-prot) and that are usually reported only by
the extension.

Here there is a recent example:

>    Sender: <xxxxxxxxxx>
> Recipient: <xxxxxxxxxxxxxxxx>
>   Subject: Have a nice Epiphany
> MessageID: g84N9HL09850
>    Report: /var/spool/MailScanner/incoming/g84N9HL09850/.pif  Infection:
>          W32/Klez.E at mm
> Shortcuts to MS-Dos programs are very dangerous in email (.pif)

In this case the filename contained in the attachment was 4th[1].pif
but it was created in the quarantine directory as .pif
So this may be related to f-secure not scanning 'hidden' files, even
when --dumb is used.

A quick search in recent report messages (I use to cancel them), seems to
show that the problem happens mainly when the virus is contained in files
whose name contains '[' and ']'.

In all the other cases I get two reports, f-secure being the second engine to
be invoked.

>    Sender: <xxxxxxxxxxxx>
> Recipient: <xxxxxxxxxxxxxxxxx>
>   Subject: END RedMeasure V4
> MessageID: g85CHmL21381
>    Report: /var/spool/MailScanner/incoming/g85CHmL21381/END.exe  Infection:
>            W32/Klez.H at mm
> ./g85CHmL21381/END.exe   infection: W95/Klez.H at mm

Regards,
Maurizio Munafo'

- --
______
     / Maurizio M. Munafo'                         /   dMMMMMMMMb  dMMMMb
    / Dip. di Elettronica - Politecnico di Torino /   dMP"dMP"dMP    "dMP
   / Corso Duca degli Abruzzi 24                 /   dMP dMP dMP   dMMK"
  / I-10129 Torino (Italia)                     /   dMP dMP dMP     dMF
 / Tel: +39 011 5644128  Fax: +39 011 5644099  /   dMP dMP dMP dMMMMP"
/ E-mail: munafo at polito.it                    /__________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ecEUtgCCNnfQWWkRAvI9AKCVWeeA8P7/E5tQCYMIs/ibKpayIgCg3gCv
NvVDDxCvrp2WSz35tBPecuE=
=d1C6
-----END PGP SIGNATURE-----

More information about the MailScanner mailing list