W32/Bagle-Zip

Julian Field mailscanner at ecs.soton.ac.uk
Thu Mar 4 18:39:42 GMT 2004


You almost certainly have your "Incoming Work Directory" set wrong. The
path set in there must be the absolute path to the directory, not a path
that follows any links. Yours should be set to
/home/spool/MailScanner/incoming
and I expect you have something like
/var/spool/MailScanner/incoming.

At 18:33 04/03/2004, you wrote:
>I just upgraded my Clamav from .60 to .67 and I see in the logs it is being
>detected now. However it appears that mailscanner is ignoring it and
>delivering the message anyway?
>
>Mar  4 10:22:44 ruth MailScanner[11534]:
>/home/spool/MailScanner/incoming/11534/./KAA11543/TextFile.zip:
>Worm.Bagle.Gen-zippwd FOUND
>Mar  4 10:22:44 ruth MailScanner[11534]: Virus Scanning: ClamAV found 1
>infections
>Mar  4 10:22:44 ruth MailScanner[11534]: Virus Scanning: Found 1 viruses
>Mar  4 10:22:45 ruth MailScanner[11534]: Uninfected: Delivered 1 messages
>
>I sent the test message and it came right through with no problems. I have
>mailscanner setup to not deliver disenfected messages. So I should have
>gotten an attachment indicating it had been removed. No such luck. I am
>temporarily blocking ZIP files till I can find a fix.
>
>I am running F-PROT and CLAMAV. F-Prot is not detecting at all.
>
>Jim
>
>----- Original Message -----
>From: "Dan Williamson" <danw at NORCOMCABLE.CA>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Thursday, March 04, 2004 8:46 AM
>Subject: Re: W32/Bagle-Zip
>
>
> > ClamAV is getting them.
> > I had .60 installed, it wasn't catching them, however after upgrading to
>.67
> > it is now catching them.
> >
> > I would suggest adding a second virus scanner if you can.
> >
> > regards,
> > -dan
> >
> >
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf
> > Of Ryan Pitt
> > Sent: March 4, 2004 10:48 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: W32/Bagle-Zip
> >
> > Hirsh, Joshua wrote:
> >
> > >Looks like Sophos is now matching against the passworded zip's for the
> > >Bagle
> > >strains:
> > >
> > >http://www.sophos.com/virusinfo/analyses/w32baglezip.html
> > >
> > >-Joshua
> > >
> >
> > This baglezip ide was downloaded automatically, so I temporarily
> > *allowed*  .zip files to pass through MailScanner and sent a copy of
>Bagle-K
> > through and Sophos still does not detect it.
> > I'm not sure exactly what this definition is supposed to do thats
>different.
> > Still waiting for the next stable release of MailScanner to be released
> > before I upgrade.
> > I have gone back to *denying* all .zip files for the time being.
> >
> > -Ryan Pitt
> >
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list