File blocked but virus not detected

Ugo Bellavance ugob at CAMO-ROUTE.COM
Wed Apr 28 10:34:13 IST 2004


Jan-Peter Koopmann wrote:
> Hi Julian,
>
> I am seeing some strange things lately. Some messages are blocked due to
> filename extensions and are put in quarantine. When I take a closer look
> those messages contain a virus which is easily spotted using one of the
> virus scanners that MailScanner on that machine uses. But MailScanner
> did not complain about any virus, just the filename extension. Example:
>
> Apr 28 09:49:31 proxy-hb exim[89373]: 2004-04-28 09:49:31
> 1BIjov-000NFV-Kl <= 8439513 at marlink.com
> H=aa2001120174003.userreverse.dion.ne.jp (pwl.de) [210.238.250.218]
> P=esmtp S=25189 from <8439513 at marlink.com> for name.blanked at mydomain.de
> Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filename Checks: Possible
> MS-Dos program shortcut attack (1BIjov-000NFV-Kl your_picture01.pif)
> Apr 28 09:49:39 proxy-hb MailScanner[71322]: Filetype Checks: No
> executables (1BIjov-000NFV-Kl your_picture01.pif)
> Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved entire message to
> /var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl
> Apr 28 09:49:40 proxy-hb MailScanner[71322]: Saved infected
> "your_picture01.pif" to
> /var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl
> Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
> 1BIjov-000NFV-Kl => name.blank at mydomain.de F=<8439513 at marlink.com>
> R=mailertable T=remote_smtp S=2543 H=192.168.160.12 [192.168.160.12]
> Apr 28 09:49:40 proxy-hb exim[89475]: 2004-04-28 09:49:40
> 1BIjov-000NFV-Kl Completed
>
> The quarantine dir contains:
>
> -rw-r-----    1 mailnull  getqmail  25189 Apr 28 09:49 message
> -rw-r-----    1 mailnull  getqmail  17920 Apr 28 09:49
> your_picture01.pif
>
>
> Virus scanning says:
>
>
> F-PROT ANTIVIRUS
> Program version: 4.2.0
> Engine version: 3.14.7
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 27 April 2004
> SIGN2.DEF created 28 April 2004
> MACRO.DEF created 21 April 2004
>
> Search: message your_picture01.pif
> Action: Report only
> Files: Attempt to identify files
> Switches: <none>
>
> /var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/message->you
> r_picture01.pif  Infection: W32/NewWorm.01 at mm
> /var/spool/MailScanner/quarantine/20040428/1BIjov-000NFV-Kl/your_picture
> 01.pif  Infection: W32/NewWorm.01 at mm
>
>
> Any ideas? As I said: I am seeing quite some of these! I am running
> 4.29.5 at that particular location. It would be awfully nice if you
> could have a look into this please. I am not aware of any changes
> between 4.29.5 and 4.29.7 that could cause this but will upgrade right
> away nevertheless.

Do you have a symlink in your path to your virus-scanner?

>
> Moreover many viruses are caught as high scoring spam with action
> "store" and are not checked on viruses. I know this is not a bug but a
> feature but still.... If something contains a virus the report/flags
> etc. should say virus after all and not only spam.

http://www.mailscanner.biz/maq/#highsconotscanned

>
> Kind regards,
>   JP
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> For further info about MailScanner, please see the Most Asked
> Questions at    http://www.mailscanner.biz/maq/     and the archives
> at    http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at    http://www.mailscanner.biz/maq/     and the archives
at    http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list