MailScanner delivering attachments that it shouldn't?

Desai, Jason jase at SENSIS.COM
Thu Sep 4 18:08:41 IST 2003 

On Tuesday, I had a user get the Gibe virus.  McAfee and ClamAV both caught
the virus, and both the Filename and Filetype checks caught the attachment
too.  But it appears that since McAfee was able to clean the attachment, the
cleaned version was delivered.

I do have "Deliver Cleaned Messages = yes" for the user who got the virus,
but I would think that the Filename and Filetype rules would override this.
Otherwise, someone can get by the Filename and Filetype checks by sending
the file infected with a virus which can be cleaned.

Here is the log:

Sep  2 15:58:27 dimstar2 MailScanner[28583]: Virus and Content Scanning:
Starting
Sep  2 15:58:27 dimstar2 MailScanner[28583]: McAfee said
"/var/spool/MailScanner/incoming/28583/19uHII-0001E4-00/update134.exe"
Sep  2 15:58:27 dimstar2 MailScanner[28583]: McAfee said "        Found the
W32/Gibe.gen at MM virus !!!"
Sep  2 15:58:27 dimstar2 MailScanner[28583]: /19uHII-0001E4-00/update134.exe
Found the W32/Gibe.gen at MM virus !!!
Sep  2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: McAfee found 1
infections
Sep  2 15:58:27 dimstar2 MailScanner[28583]:
/var/spool/MailScanner/incoming/28583/./19uHII-0001E4-00/update134.exe:
Worm.Gibe.B FOUND
Sep  2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: ClamAV found 1
infections
Sep  2 15:58:27 dimstar2 MailScanner[28583]: Virus Scanning: Found 1 viruses
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Filename Checks: Windows/DOS
Executable (update134.exe)
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Filetype Checks: No executables
(update134.exe)
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Other Checks: Found 2 problems
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Saved entire message to
/var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Saved infected "update134.exe"
to /var/spool/MailScanner/quarantine/20030902/19uHII-0001E4-00
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Cleaned: Delivered 1 cleaned
messages
Sep  2 15:58:28 dimstar2 MailScanner[28583]: Sender Warnings: Delivered 1
warnings to virus senders

I'm using MailScanner version 4.22-5.

Jason

More information about the MailScanner mailing list