Bug in filename rules handling?

Remco Barendse mailscanner at BARENDSE.TO
Tue Mar 11 11:09:16 GMT 2003


I have it set to yes but this has not changed the behaviour of MailScanner
before. I think all files in the filename.rules.conf are treated equal?

I would not like to be in a situation where somenewvirus.doc.scr would be
allowed through because the latest virus definition couldn't recognize the
virus and the attachment would then be passed on as 'safe'.

Also the attachment wasn't replaced with the VirusWarning.txt!

On Tue, 11 Mar 2003, Craig Pratt wrote:

> How about the "Deliver Disinfected Files" option? Wouldn't that produce
> the behavior you're seeing?
>
> # Should I attempt to disinfect infected attachments and then deliver
> # the clean ones. "Disinfection" involves removing viruses from files
> # (such as removing macro viruses from documents). "Cleaning" is the
> # replacement of infected attachments with "VirusWarning.txt" text
> # attachments.
> # This can also be the filename of a ruleset.
> Deliver Disinfected Files = yes
>
> On Tuesday, March 11, 2003, at 12:36  AM, Remco Barendse wrote:
> > Yes the headers were added as they should and the header also said
> > 'found
> > to be infected'
> >
> > Everything seems to be OK but the attachment was not removed and the
> > VirusWarning was not inserted in the message as it should nor was it
> > sent
> > as an attachment.
> >
> > On Tue, 11 Mar 2003, Craig Pratt wrote:
> >
> >> Have any of the "X-MailScanner" headers been added to the message?
> >>
> >> If not, this might mean that MailScanner is not actually the one
> >> delivering the message. Is it possible that sendmail is running behind
> >> MS's back?
> >>
> >> Craig
> >>
> >> On Tuesday, March 11, 2003, at 12:01  AM, Remco Barendse wrote:
> >>> This morning we have received a message with filename extension
> >>> hiding.
> >>> The attachment is named ACN.DOC.xls.doc
> >>>
> >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1
> >>> messages, 38249 bytes
> >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning:
> >>> Starting
> >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found
> >>> possible filename hiding (ACN.DOC.xls.doc)
> >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1
> >>> problems
> >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to
> >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875
> >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1
> >>> cleaned
> >>> messages
> >>>
> >>> Although a notification was sent to postmaster that a virus had been
> >>> caught, and the message subject was correctly modified and there was
> >>> a
> >>> notification inside the message to look inside VirusWarning.txt
> >>> things
> >>> didn't work.
> >>>
> >>> The attachment was let through 'as-is' without renaming or without
> >>> removing it. Furthermore there was no VirusWarning.txt attached to
> >>> the
> >>> mail message although the body of the message referred to it. I have
> >>> set
> >>> however that warnings should *not* be sent as an attachment so maybe
> >>> this
> >>> is another bug?
> >>>
> >>> Things worked fine with the 4.12 release, this was found on release
> >>> 4.13-3
> >>>
> >>> The message went through our Exchange server and because of a forward
> >>> rule
> >>> the message was sent outside again. Again MailScanner reported the
> >>> problem
> >>> but did not remove the attachment!
> >>>
> >>>
> >>> --
> >>> This message has been scanned for viruses and
> >>> dangerous content by MailScanner, and is
> >>> believed to be clean.
> >>>
> >> Craig Pratt
> >> Strongbox Network Services Inc.
> >> mailto:craig at strong-box.net
> >>
> >>
> >> --
> >> This message checked for dangerous content by MailScanner on
> >> StrongBox.
> >>
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> Craig Pratt
> Strongbox Network Services Inc.
> mailto:craig at strong-box.net
>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list