Missed virus?

[Antony Stone]

On Friday 05 September 2003 8:36 pm, Kevin Spicer wrote:

> On Fri, 2003-09-05 at 20:23, Antony Stone wrote:
> >> And of course MailScanner didn't pick up the .com file & block it.
> >
> >Well, that is what I would expect (not picking it up) since
> >MailScanner's
> >file extension rules definitely only apply to the actual file being
> >attached.
>
> I agree thats correct, but thats why my test results...
>
> >>I performed a test myself, which I hoped would imitate the message
> >>which
> >>the original post was about.  I created an email with email.com and
> >>eicar.zip attached, then forwarded the email as an attachment to
> >>myself.  Both Sophos(savi) and Clam picked up both copies of eicar,
> >>whats more MailScanner also blocked the com file.
>
>              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> surprised me (pleasantly).  I didn't really expect that MailScanner
> would recurse through attached emails (Julians too clever by half!).
> Which begs the question why didn't it recurse through the attached
> message in Gerry's file.

Hm.   I think finding a file in an RFC822 attachment is different from
recursing inside zip-type archives - I would expect MailScanner's filename
rules to match the first but not the second.

Regards,

Antony.

--

Perfection in design is achieved not when there is nothing left to add,
but rather when there is nothing left to take away.

 - Antoine de Saint-Exupery