Virus slipping through in zip files.

Julian Field mailscanner at ecs.soton.ac.uk
Wed Aug 20 11:51:30 IST 2003 

How did you install MailScanner? Using the RPM distribution or the tar one?
(i.e. The RedHat/SuSE distributions or the "Other Linux/Unix" distribution?)

At 01:45 20/08/2003, you wrote:
>I am running
>
>MailScanner 4.22-5
>Command AntiVirus
>Mandrake Linux 9.1
>
>I have been doing some testing by sending myself a virus.  I have the
>W32/Hybris.worm.D virus named bad_virus.txt
>
>If I send this to myself it is removed and the VirusWarning.txt is put in its
>place as expected.  But if I zip it, it will get through.  MailScanner DOES
>pick up the virus in the zip file, and it send out all the normal warnings.
>But the message that is delivered still contains the virus, as follows:
>
>--------------------
>Warning: This message has had one or more attachments removed
>Warning: (bad_virus.zip->bad_virus.txt).
>Warning: Please read the "VirusWarning.txt" attachment(s) for more
>information.
>
>
>bad_virus.zip
>
>------------------
>
>notice the attachment is not the VirusWarning.txt, it is the original
>attachment.
>
>here is the info logs
>------------------------
>
>Aug 19 19:27:55 ns postfix/nqmgr[12978]: 9A3301F417:
>to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
>relay=none, delay=1, status=deferred (deferred transport)
>Aug 19 19:27:58 ns MailScanner[13086]: New Batch: Scanning 1 messages, 26010
>bytes
>Aug 19 19:27:58 ns MailScanner[13086]: Virus and Content Scanning: Starting
>Aug 19 19:27:59 ns MailScanner[13086]:
>./9A3301F417/bad_virus.zip->bad_virus.txt  Infection: W32/Hybris.worm.D
>Aug 19 19:27:59 ns MailScanner[13086]: Virus Scanning: Command found 1
>infections
>Aug 19 19:27:59 ns MailScanner[13086]: Virus Scanning: Found 1 viruses
>Aug 19 19:27:59 ns MailScanner[13086]: Saved infected
>"bad_virus.zip->bad_virus.txt" to
>/var/spool/MailScanner/quarantine/20030819/9A3301F417
>Aug 19 19:27:59 ns MailScanner[13086]: Cleaned: Delivered 1 cleaned messages
>Aug 19 19:27:59 ns postfix/nqmgr[13051]: E118EBBB0:
>from=<jtwatson at datakota.com>, size=26080, nrcpt=1 (queue active)
>Aug 19 19:27:59 ns MailScanner[13086]: Sender Warnings: Delivered 1 warnings
>to virus senders
>Aug 19 19:28:00 ns postfix/pipe[14035]: E118EBBB0:
>to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
>relay=cyrus, delay=6, status=sent (mydomain.com)
>Aug 19 19:28:00 ns postfix/pickup[13050]: 1DBC4BBB0: uid=73 from=<>
>Aug 19 19:28:00 ns postfix/cleanup[14039]: 1DBC4BBB0:
>message-id=<20030820002759.1DBC4BBB0 at mydomain.com>
>Aug 19 19:28:00 ns MailScanner[13086]: Notices: Warned about 1 messages
>Aug 19 19:28:00 ns MailScanner[13086]: Disinfection: Attempting to disinfect 1
>messages
>Aug 19 19:28:00 ns postfix/nqmgr[13051]: 1DBC4BBB0: from=<>, size=1048,
>nrcpt=1 (queue active)
>Aug 19 19:28:00 ns postfix/pickup[13050]: 3F903BBB7: uid=73
>from=<jtwatson at mydomain.com>
>Aug 19 19:28:00 ns postfix/cleanup[14039]: 3F903BBB7:
>message-id=<20030820002800.3F903BBB7 at mydomain.com>
>Aug 19 19:28:00 ns postfix/nqmgr[13051]: 3F903BBB7:
>from=<jtwatson at mydomain.com>, size=794, nrcpt=1 (queue active)
>Aug 19 19:28:00 ns postfix/pipe[14035]: 3F903BBB7:
>to=<jtwatson.mydomain.com at mydomain.com>, orig_to=<jtwatson at mydomain.com>,
>relay=cyrus, delay=0, status=sent (mydomain.com)
>Aug 19 19:28:01 ns postfix/smtp[14049]: 1DBC4BBB0: to=<jtwatson at datakota.com>,
>relay=mail.datakota.com[24.220.9.19], delay=2, status=sent (250 2.0.0
>h7K0gS009638 Message accepted for delivery)
>Aug 19 19:28:01 ns MailScanner[13086]:
>./9A3301F417/bad_virus.zip->bad_virus.txt  Infection: W32/Hybris.worm.D
>Aug 19 19:28:01 ns MailScanner[13086]: Virus Re-scanning: Command found 1
>infections
>Aug 19 19:28:01 ns MailScanner[13086]: Disinfection: Rescan found only 1
>viruses
>
>--------------------------
>
>In MailScanner.conf I have
>
>Deliver Disinfected Files = yes
>Deliver Cleaned Messages = yes
>
>Could this happen because of a misconfiguration??  It looks to me like it
>detects just fine, but for some reason it attaches the wrong attachment if
>the virus is contained in a zip.
>
>I have tested this with more the one virus.  All I have to do is put it in a
>zip file and it goes trough with the final delivered message.
>
>Can someone else verify this, or is this somehow a problem with my setup?
>
>--
>Regards
>
>Joseph Watson

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list