File blocked but virus not detected
Julian Field
mailscanner at ecs.soton.ac.uk
Wed Apr 28 10:16:53 IST 2004
Can you put an entire message on a web server somewhere for me please, so
that I can fetch a copy and test it out?
At 10:04 28/04/2004, you wrote:
>Hi Julian,
>
>I am seeing some strange things lately. Some messages are blocked due to
>filename extensions and are put in quarantine. When I take a closer look
>those messages contain a virus which is easily spotted using one of the
>virus scanners that MailScanner on that machine uses. But MailScanner
>did not complain about any virus, just the filename extension. Example:
>
>Apr 28 09:49:31 proxy-hb exim[89373]: 2004-04-28 09:49:31
>1BIjov-000NFV-Kl <= 8439513 at marlink.com
>H=aa2001120174003.userreverse.dion.ne.jp (pwl.de) [210.238.250.218]
>P=esmtp S=25189 from <8439513 at marlink.com> for name.blanked at mydomain.de
>Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filename Checks: Possible
>MS-Dos program shortcut attack (1BIjov-000NFV-Kl your_picture01.pif)
>Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filetype Checks: No
>executables (1BIjov-000NFV-Kl your_picture01.pif)
>Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved entire message to
>/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl
>Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved infected
>"your_picture01.pif" to
>/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl
>Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
>1BIjov-000NFV-Kl => name.blank at mydomain.de F=<8439513 at marlink.com>
>R=mailertable T=remote_smtp S=2543 H=192.168.160.12 [192.168.160.12]
>Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
>1BIjov-000NFV-Kl Completed
>
>The quarantine dir contains:
>
>-rw-r----- 1 mailnull getqmail 25189 Apr 28 09:49 message
>-rw-r----- 1 mailnull getqmail 17920 Apr 28 09:49
>your_picture01.pif
>
>
>Virus scanning says:
>
>
>F-PROT ANTIVIRUS
>Program version: 4.2.0
>Engine version: 3.14.7
>
>VIRUS SIGNATURE FILES
>SIGN.DEF created 27 April 2004
>SIGN2.DEF created 28 April 2004
>MACRO.DEF created 21 April 2004
>
>Search: message your_picture01.pif
>Action: Report only
>Files: Attempt to identify files
>Switches: <none>
>
>/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/message->you
>r_picture01.pif Infection: W32/NewWorm.01 at mm
>/var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/your_picture
>01.pif Infection: W32/NewWorm.01 at mm
>
>
>Any ideas? As I said: I am seeing quite some of these! I am running
>4.29.5 at that particular location. It would be awfully nice if you
>could have a look into this please. I am not aware of any changes
>between 4.29.5 and 4.29.7 that could cause this but will upgrade right
>away nevertheless.
>
>Moreover many viruses are caught as high scoring spam with action
>"store" and are not checked on viruses. I know this is not a bug but a
>feature but still.... If something contains a virus the report/flags
>etc. should say virus after all and not only spam.
>
>Kind regards,
> JP
>
>-------------------------- MailScanner list ----------------------
>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
>For further info about MailScanner, please see the Most Asked
>Questions at http://www.mailscanner.biz/maq/ and the archives
>at http://www.jiscmail.ac.uk/lists/mailscanner.html
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at http://www.mailscanner.biz/maq/ and the archives
at http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list