Virus slipping through in zip files.

Wed Aug 20 01:45:44 IST 2003

I am running

MailScanner 4.22-5
Command AntiVirus
Mandrake Linux 9.1

I have been doing some testing by sending myself a virus.  I have the
W32/Hybris.worm.D virus named bad_virus.txt

If I send this to myself it is removed and the VirusWarning.txt is put in its
place as expected.  But if I zip it, it will get through.  MailScanner DOES
pick up the virus in the zip file, and it send out all the normal warnings.
But the message that is delivered still contains the virus, as follows:

--------------------
Warning: This message has had one or more attachments removed
Warning: (bad_virus.zip->bad_virus.txt).
Warning: Please read the "VirusWarning.txt" attachment(s) for more
information.

bad_virus.zip

------------------

notice the attachment is not the VirusWarning.txt, it is the original
attachment.

here is the info logs
------------------------

Aug 19 19:27:55 ns postfix/nqmgr[12978]: 9A3301F417:
to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
relay=none, delay=1, status=deferred (deferred transport)
Aug 19 19:27:58 ns MailScanner[13086]: New Batch: Scanning 1 messages, 26010
bytes
Aug 19 19:27:58 ns MailScanner[13086]: Virus and Content Scanning: Starting
Aug 19 19:27:59 ns MailScanner[13086]:
./9A3301F417/bad_virus.zip->bad_virus.txt  Infection: W32/Hybris.worm.D
Aug 19 19:27:59 ns MailScanner[13086]: Virus Scanning: Command found 1
infections
Aug 19 19:27:59 ns MailScanner[13086]: Virus Scanning: Found 1 viruses
Aug 19 19:27:59 ns MailScanner[13086]: Saved infected
"bad_virus.zip->bad_virus.txt" to
/var/spool/MailScanner/quarantine/20030819/9A3301F417
Aug 19 19:27:59 ns MailScanner[13086]: Cleaned: Delivered 1 cleaned messages
Aug 19 19:27:59 ns postfix/nqmgr[13051]: E118EBBB0:
from=<jtwatson at datakota.com>, size=26080, nrcpt=1 (queue active)
Aug 19 19:27:59 ns MailScanner[13086]: Sender Warnings: Delivered 1 warnings
to virus senders
Aug 19 19:28:00 ns postfix/pipe[14035]: E118EBBB0:
to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
relay=cyrus, delay=6, status=sent (mydomain.com)
Aug 19 19:28:00 ns postfix/pickup[13050]: 1DBC4BBB0: uid=73 from=<>
Aug 19 19:28:00 ns postfix/cleanup[14039]: 1DBC4BBB0:
message-id=<20030820002759.1DBC4BBB0 at mydomain.com>
Aug 19 19:28:00 ns MailScanner[13086]: Notices: Warned about 1 messages
Aug 19 19:28:00 ns MailScanner[13086]: Disinfection: Attempting to disinfect 1
messages
Aug 19 19:28:00 ns postfix/nqmgr[13051]: 1DBC4BBB0: from=<>, size=1048,
nrcpt=1 (queue active)
Aug 19 19:28:00 ns postfix/pickup[13050]: 3F903BBB7: uid=73
from=<jtwatson at mydomain.com>
Aug 19 19:28:00 ns postfix/cleanup[14039]: 3F903BBB7:
message-id=<20030820002800.3F903BBB7 at mydomain.com>
Aug 19 19:28:00 ns postfix/nqmgr[13051]: 3F903BBB7:
from=<jtwatson at mydomain.com>, size=794, nrcpt=1 (queue active)
Aug 19 19:28:00 ns postfix/pipe[14035]: 3F903BBB7:
to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
relay=cyrus, delay=0, status=sent (mydomain.com)
Aug 19 19:28:01 ns postfix/smtp[14049]: 1DBC4BBB0: to=<jtwatson at datakota.com>,
relay=mail.datakota.com[24.220.9.19], delay=2, status=sent (250 2.0.0
h7K0gS009638 Message accepted for delivery)
Aug 19 19:28:01 ns MailScanner[13086]:
./9A3301F417/bad_virus.zip->bad_virus.txt  Infection: W32/Hybris.worm.D
Aug 19 19:28:01 ns MailScanner[13086]: Virus Re-scanning: Command found 1
infections
Aug 19 19:28:01 ns MailScanner[13086]: Disinfection: Rescan found only 1
viruses

--------------------------

In MailScanner.conf I have

Deliver Disinfected Files = yes
Deliver Cleaned Messages = yes

Could this happen because of a misconfiguration??  It looks to me like it
detects just fine, but for some reason it attaches the wrong attachment if
the virus is contained in a zip.

I have tested this with more the one virus.  All I have to do is put it in a
zip file and it goes trough with the final delivered message.

Can someone else verify this, or is this somehow a problem with my setup?

--
Regards

Joseph Watson