Missed virus?

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Fri Sep 5 19:27:58 IST 2003


On Friday 05 September 2003 7:19 pm, Antony Stone wrote:

> I thought MailScanner recursively checked archives/zips/etc until it found
> a 'real file' to check for being a virus or not.

Before anyone else points it out, I realise that I was clearly wrong in this
thinking, as my own test results demonstrated:

> I just tested this by taking eicar.com, tar-gzipping it, then winzipping
> the tgz file, then bzip2-ing the winzip file, and emailing myself the .bz2
> file.
>
> Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV engines I
> run on this mail server, means it got missed by BitDefender, F-Prot,
> Inoculan, Kaspersky and NOD32).

It's also clear from the output of AntiVir that it's doing its own archive
unpacking.   Here's the message logged by MailScanner (which is simply the
output it recevied from AntiVir):

AntiVir: ALERT: [Eicar-Test-Signatur virus] thisiseicar.bz2 --> thisiseicar
--> thisiseicar.tgz --> unkwn.tar --> thisiseicar.com <<< Contains code of
the Eicar-Test-Signatur virus

As you can see it works its own way down inside the files until it sees
what's lurking in the middle.

Antony

--

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)



More information about the MailScanner mailing list