File blocked but virus not detected

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Wed Apr 28 10:04:11 IST 2004 

Hi Julian,

I am seeing some strange things lately. Some messages are blocked due to
filename extensions and are put in quarantine. When I take a closer look
those messages contain a virus which is easily spotted using one of the
virus scanners that MailScanner on that machine uses. But MailScanner
did not complain about any virus, just the filename extension. Example:

Apr 28 09:49:31 proxy-hb exim[89373]: 2004-04-28 09:49:31
1BIjov-000NFV-Kl <= 8439513 at marlink.com
H=aa2001120174003.userreverse.dion.ne.jp (pwl.de) [210.238.250.218]
P=esmtp S=25189 from <8439513 at marlink.com> for name.blanked at mydomain.de
Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filename Checks: Possible
MS-Dos program shortcut attack (1BIjov-000NFV-Kl your_picture01.pif) 
Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filetype Checks: No
executables (1BIjov-000NFV-Kl your_picture01.pif) 
Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved entire message to
/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl 
Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved infected
"your_picture01.pif" to
/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl 
Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
1BIjov-000NFV-Kl => name.blank at mydomain.de F=<8439513 at marlink.com>
R=mailertable T=remote_smtp S=2543 H=192.168.160.12 [192.168.160.12]
Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
1BIjov-000NFV-Kl Completed

The quarantine dir contains:

-rw-r-----    1 mailnull  getqmail  25189 Apr 28 09:49 message
-rw-r-----    1 mailnull  getqmail  17920 Apr 28 09:49
your_picture01.pif


Virus scanning says:


F-PROT ANTIVIRUS
Program version: 4.2.0
Engine version: 3.14.7

VIRUS SIGNATURE FILES
SIGN.DEF created 27 April 2004
SIGN2.DEF created 28 April 2004
MACRO.DEF created 21 April 2004

Search: message your_picture01.pif
Action: Report only
Files: Attempt to identify files
Switches: <none>

/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/message->you
r_picture01.pif  Infection: W32/NewWorm.01 at mm
/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/your_picture
01.pif  Infection: W32/NewWorm.01 at mm


Any ideas? As I said: I am seeing quite some of these! I am running
4.29.5 at that particular location. It would be awfully nice if you
could have a look into this please. I am not aware of any changes
between 4.29.5 and 4.29.7 that could cause this but will upgrade right
away nevertheless.

Moreover many viruses are caught as high scoring spam with action
"store" and are not checked on viruses. I know this is not a bug but a
feature but still.... If something contains a virus the report/flags
etc. should say virus after all and not only spam. 

Kind regards,
  JP

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at    http://www.mailscanner.biz/maq/     and the archives
at    http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list