F-PROT and disinfections

Matthew Bowman mbowman at UDCOM.COM
Wed May 28 19:59:10 IST 2003


# fgrep -i Disinfected /etc/MailScanner/MailScanner.conf

# It is the command used to attempt delivery of outgoing
cleaned/disinfected
Deliver Disinfected Files = yes

# attached disinfected documents.
Disinfected Report = /etc/MailScanner/reports/en/disinfected.report.txt

# Set the "Mail Header" to these values for clean/infected/disinfected
messages.
Disinfected Header Value = Disinfected

>From maillog

May 28 14:52:37 smithers MailScanner[13655]:
/var/spool/MailScanner/incoming/13655/h4SIqTe06538/xxx_movies.zip->2453.exe
 is a security risk named W32/Wdialupd.Adware
May 28 14:52:37 smithers MailScanner[13655]: Virus Scanning: F-Prot found
virus
May 28 14:52:37 smithers MailScanner[13655]: Virus Re-scanning: f-prot
found 1 infections
May 28 14:52:37 smithers MailScanner[13655]: Disinfection: Rescan found
only 1 viruses

The above was not classed as Infected but Suspicious.

Then this one..

May 28 14:40:42 smithers MailScanner[13689]: Message h4SIefe04959 from
64.12.138.9 (cchumanesociety at yahoo.com) to wmfd.com is spam, SpamAssassin
(score=7.5, required 4, DATE_IN_PAST_03_06, FORGED_YAHOO_RCVD,
INVALID_DATE, MICROSOFT_EXECUTABLE, MIME_HTML_NO_CHARSET,
MIME_SUSPECT_NAME, MSG_ID_ADDED_BY_MTA_3, NO_REAL_NAME, RELAYING_FRAME,
SPAM_PHRASE_00_01, USER_AGENT_OE)
May 28 14:40:42 smithers MailScanner[13689]: Spam Actions: message
h4SIefe04959 actions are deliver
May 28 14:40:42 smithers MailScanner[13689]:
/var/spool/MailScanner/incoming/13689/h4SIefe04959/defragment.htm.pif
Infection: W32/Lentin.F at mm
May 28 14:40:42 smithers MailScanner[13689]: Saved entire message to
/var/spool/MailScanner/quarantine/20030528/h4SIefe04959
May 28 14:40:42 smithers MailScanner[13689]: Saved infected
"defragment.htm.pif" to
/var/spool/MailScanner/quarantine/20030528/h4SIefe04959
May 28 14:40:42 smithers sendmail[4977]: h4SIefe04959:
to=<comments at wmfd.com>, delay=00:00:01, xdelay=00:00:00, mailer=smtp,
pri=161253, relay=raq09.vbcomm.net. [63.173.207.66], dsn=2.0.0, stat=Sent
(h4SIfC928170 Message accepted for delivery)


I ran f-prot . -auto -disinf and it came back with

/var/spool/MailScanner/quarantine/20030528/h4SIefe04959/defragment.htm.pif
 Infection: W32/Lentin.F at mm
Disinfected.

Thanks for the help.

Matthew





Julian Field <mailscanner at ECS.SOTON.AC.UK>
Sent by: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
05/28/2003 02:38 PM
Please respond to MailScanner mailing list


        To:     MAILSCANNER at JISCMAIL.AC.UK
        cc:
        Subject:        Re: F-PROT and disinfections


Assume you have told it to deliver disinfected files (search for
"Disinfected" in MailScanner.conf) then what does your maillog say? It
should be doing 3 scans of each infected batch, one to scan, one to
disinfect and one to rescan.

At 19:24 28/05/2003, you wrote:
>Hello,
>
>I'm noticing that the bulk of the viruses we are catching are Lentin.F,
if
>I'm not mistaken, shouldn't mailscanner combined with the virus scanner
>(f-prot in our case) attempt to disinfect the file and if successful
>forward it on? If so it is not doing that. What I have is a quantity of
>files in /var/spool/MailScanner/quarantine that are disinfected and I
have
>to send them of manually.
>
>I'm using MS 4.13-3 with F-Prot 3.13 Engine 3.12.10 and Defs of May 26.
>
>Just not certain what should be happening and how it works.
>
>Any ideas?
>
>Thanks
>
>Regards, --
>
>M Bowman

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list