ClamAV and Password Protected Bagles
Desai, Jason
jase at SENSIS.COM
Wed Mar 3 17:31:02 GMT 2004
Hello.
I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and
ClamAV. I have had some of the latest Bagle viruses in password protected
zip files get through. I know that various virus scanners are having
trouble detecting these. I had one of these emails get quarantined because
the attachment name was Message.zip. When testing to see if the virus would
get caught yet I found something interesting with ClamAV.
If I scan the attachment itself (Message.zip) clam reports it as clean. But
if I scan the queue files (from Exim) clam finds the virus! Here is the
output of a scan with the queue files and attachment in the same directory:
# /opt/MailScanner/lib/clamav-wrapper .
/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
00-H: OK
/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
00-D: Worm.Bagle.F-zippwd-3 FOUND
/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip:
OK
----------- SCAN SUMMARY -----------
Known viruses: 20372
Scanned directories: 1
Scanned files: 3
Infected files: 1
Data scanned: 0.03 Mb
I/O buffer size: 131072 bytes
Time: 0.325 sec (0 m 0 s)
#
So I assume that MailScanner unpacks the attachment and just scans that.
Does it make sense to allow the virus scanners to scan the queue files as
well?
Jason
More information about the MailScanner
mailing list