ClamAV and Password Protected Bagles

Julian Field mailscanner at ecs.soton.ac.uk
Wed Mar 3 22:14:55 GMT 2004


At 22:10 03/03/2004, you wrote:
>amavisd was patched to fix all of this mess by making the original email
>available in the 'parts' directory.  If mailscanner dropped the original
>email in to be scanned, the virus scanner may be able to do the hard work.

I could have done this too. But it relies on the AV companies to be up to
date, which is a problem at the moment. I feel more lines of defence are
needed.

And as they should already know if they have done their research, they
would have discovered that this only works for some of the commercial virus
scanners. My method works for all of them. For example Sophos cannot find
them until they are opened on the desktop. Their web pages openly admit it.
A lot of MailScanner users have Sophos as their main (or lone) scanner, I
have to come up with a solution that works for all of them, not just the
ones using particular scanners.

>-lindsay
>
>Desai, Jason wrote:
>>Hello.
>>I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and
>>ClamAV.  I have had some of the latest Bagle viruses in password protected
>>zip files get through.  I know that various virus scanners are having
>>trouble detecting these.  I had one of these emails get quarantined because
>>the attachment name was Message.zip.  When testing to see if the virus would
>>get caught yet I found something interesting with ClamAV.
>>If I scan the attachment itself (Message.zip) clam reports it as clean.  But
>>if I scan the queue files (from  Exim) clam finds the virus!  Here is the
>>output of a scan with the queue files and attachment in the same directory:
>># /opt/MailScanner/lib/clamav-wrapper .
>>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
>>00-H: OK
>>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK-
>>00-D: Worm.Bagle.F-zippwd-3 FOUND
>>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip:
>>OK
>>----------- SCAN SUMMARY -----------
>>Known viruses: 20372
>>Scanned directories: 1
>>Scanned files: 3
>>Infected files: 1
>>Data scanned: 0.03 Mb
>>I/O buffer size: 131072 bytes
>>Time: 0.325 sec (0 m 0 s)
>>#
>>So I assume that MailScanner unpacks the attachment and just scans that.
>>Does it make sense to allow the virus scanners to scan the queue files as
>>well?
>>Jason

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list