W32/Bagle-Zip

Jim Scott jscott at INFOCONEX.COM
Thu Mar 4 18:33:05 GMT 2004 

I just upgraded my Clamav from .60 to .67 and I see in the logs it is being
detected now. However it appears that mailscanner is ignoring it and
delivering the message anyway?

Mar  4 10:22:44 ruth MailScanner[11534]:
/home/spool/MailScanner/incoming/11534/./KAA11543/TextFile.zip:
Worm.Bagle.Gen-zippwd FOUND
Mar  4 10:22:44 ruth MailScanner[11534]: Virus Scanning: ClamAV found 1
infections
Mar  4 10:22:44 ruth MailScanner[11534]: Virus Scanning: Found 1 viruses
Mar  4 10:22:45 ruth MailScanner[11534]: Uninfected: Delivered 1 messages

I sent the test message and it came right through with no problems. I have
mailscanner setup to not deliver disenfected messages. So I should have
gotten an attachment indicating it had been removed. No such luck. I am
temporarily blocking ZIP files till I can find a fix.

I am running F-PROT and CLAMAV. F-Prot is not detecting at all.

Jim

----- Original Message -----
From: "Dan Williamson" <danw at NORCOMCABLE.CA>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Thursday, March 04, 2004 8:46 AM
Subject: Re: W32/Bagle-Zip


> ClamAV is getting them.
> I had .60 installed, it wasn't catching them, however after upgrading to
.67
> it is now catching them.
>
> I would suggest adding a second virus scanner if you can.
>
> regards,
> -dan
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf
> Of Ryan Pitt
> Sent: March 4, 2004 10:48 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: W32/Bagle-Zip
>
> Hirsh, Joshua wrote:
>
> >Looks like Sophos is now matching against the passworded zip's for the
> >Bagle
> >strains:
> >
> >http://www.sophos.com/virusinfo/analyses/w32baglezip.html
> >
> >-Joshua
> >
>
> This baglezip ide was downloaded automatically, so I temporarily
> *allowed*  .zip files to pass through MailScanner and sent a copy of
Bagle-K
> through and Sophos still does not detect it.
> I'm not sure exactly what this definition is supposed to do thats
different.
> Still waiting for the next stable release of MailScanner to be released
> before I upgrade.
> I have gone back to *denying* all .zip files for the time being.
>
> -Ryan Pitt
>
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>

More information about the MailScanner mailing list