ClamAV and Password Protected Bagles

Lindsay Snider lindsay at PA.NET
Wed Mar 3 22:10:20 GMT 2004


amavisd was patched to fix all of this mess by making the original email
available in the 'parts' directory.  If mailscanner dropped the original
email in to be scanned, the virus scanner may be able to do the hard work.
-lindsay

Desai, Jason wrote:
> Hello.
>
> I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and
> ClamAV.  I have had some of the latest Bagle viruses in password protected
> zip files get through.  I know that various virus scanners are having
> trouble detecting these.  I had one of these emails get quarantined because
> the attachment name was Message.zip.  When testing to see if the virus would
> get caught yet I found something interesting with ClamAV.
>
> If I scan the attachment itself (Message.zip) clam reports it as clean.  But
> if I scan the queue files (from  Exim) clam finds the virus!  Here is the
> output of a scan with the queue files and attachment in the same directory:
>
> # /opt/MailScanner/lib/clamav-wrapper .
> /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
> 00-H: OK
> /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
> 00-D: Worm.Bagle.F-zippwd-3 FOUND
> /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip:
> OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 20372
> Scanned directories: 1
> Scanned files: 3
> Infected files: 1
> Data scanned: 0.03 Mb
> I/O buffer size: 131072 bytes
> Time: 0.325 sec (0 m 0 s)
> #
>
> So I assume that MailScanner unpacks the attachment and just scans that.
> Does it make sense to allow the virus scanners to scan the queue files as
> well?
>
> Jason



More information about the MailScanner mailing list