Missed virus?
Antony Stone
Antony at SOFT-SOLUTIONS.CO.UK
Fri Sep 5 19:19:24 IST 2003
On Friday 05 September 2003 6:42 pm, Kevin Spicer wrote:
> On Fri, 2003-09-05 at 18:15, Gerry Doris wrote:
> > I am comparing two separate virus notifications and can't figure out
> > why there is a difference. In the first message below F-Prot and Trend
> > each found the Sobig.F virus. However it was missed by ClamAV and
> > MailScanner didn't complain about the file tpye.
>
> It looks like the message is a bounce and the txt file is in fact the
> original message. MailScanner's blocking rules only look at the top
> level attachment IIRC, but the virus is in a second level (just like
> putting it in a zip file).
This doesn't sound like a plausible explanation to me. I thought
MailScanner recursively checked archives/zips/etc until it found a 'real
file' to check for being a virus or not.
I just tested this by taking eicar.com, tar-gzipping it, then winzipping the
tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2 file.
Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I
run on this mail server, means it got missed by BitDefender, F-Prot,
Inoculan, Kaspersky and NOD32).
Not a good result (but I notice ClamAV, which the original posting was about,
did see it).
Antony.
--
90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
More information about the MailScanner
mailing list