Missed virus?

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Fri Sep 5 19:19:24 IST 2003


On Friday 05 September 2003 6:42 pm, Kevin Spicer wrote:

> On Fri, 2003-09-05 at 18:15, Gerry Doris wrote:

> > I am comparing two separate virus notifications and can't figure out
> > why there is a difference.  In the first message below F-Prot and Trend
> > each found the Sobig.F virus.  However it was missed by ClamAV and
> > MailScanner didn't complain about the file tpye.
>
> It looks like the message is a bounce and the txt file is in fact the
> original message.  MailScanner's blocking rules only look at the top
> level attachment IIRC, but the virus is in a second level (just like
> putting it in a zip file).

This doesn't sound like a plausible explanation to me.   I thought
MailScanner recursively checked archives/zips/etc until it found a 'real
file' to check for being a virus or not.

I just tested this by taking eicar.com, tar-gzipping it, then winzipping the
tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 file.

Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I
run on this mail server, means it got missed by BitDefender, F-Prot,
Inoculan, Kaspersky and NOD32).

Not a good result (but I notice ClamAV, which the original posting was about,
did see it).

Antony.

--

90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.



More information about the MailScanner mailing list