some viruse tests failing...is that the antivirus' fault, or MailScanner?

Rick Cooper rcooper at DWFORD.COM
Sun Mar 21 02:24:57 GMT 2004


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Stephen Swaney
> Sent: Saturday, March 20, 2004 6:45 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: some viruse tests failing...is that the
> antivirus' fault,
> or MailScanner?
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > Behalf Of Chris Yuzik
> > Sent: Saturday, March 20, 2004 6:40 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: some viruse tests failing...is that the
> antivirus' fault, or
> > MailScanner?
> >
> > Alright. Now I'm talking to myself again. I upgraded
> ClamAV from 0.67 to
> > 0.70-rc, and it fails the same tests. Only now
> they've inserted a new
> > test somewhere around #12, so I fail #20, 21, and 23.
> >
> > I'm still not sure if this is an issue for
> MailScanner...or my antivirus
> > stuff. Anyone know?
> >
>
> The folks that are providing these "free" tests are
> selling email scanning
> services. I just wonder if anyone can pass them all.
> I'm not saying that
> they are not valid, I'm just commenting on the fact
> that they might not be
> un-biased.

Exim 4.30, exiscan_acl (bitdefender), MS 4.29.2 (clamavmodule,
f-prot, bitdefender) SA 2.63 and none of the testvirus.org
e-mails make it through.

#12 passes exiscan and is caught by MS (password protected zip
blocking is optional in latest MS and should be caught by MS if
your AV doesn't catch it)
        F-Prot: eicar.zip->EICAR.COM  Infection: EICAR_Test_File


#16 passes exiscan and is caught BY MS (not a real attachment sig
in HTML script. Latest MS would catch it even if your AV did not)
   F-Prot: msg-23828-1.html  Infection: EICAR_Test_File
   ClamAV Module: msg-23828-1.html was infected:
Eicar-Test-Signature
   MailScanner: Found a script in HTML message

#24 passes exiscan and is caught by MS (not a real attachment and
fragmented msgs are local policy matter)
    MailScanner: Fragmented messages cannot be scanned and are
removed

#25 passes exiscan and is caught by MS (no virus string. file
names ending in CLSID is policy matter and standard blocking with
MS file name rules)

    MailScanner: Files ending in CLSID's are trying to hide their
real extension
    (clsidfile.txt.{00020C01-0000-0000-C000-000000000046})

The balance were caught via ExiScan and ExiScan bitdefender and
were never accepted
(were rejected at SMTP data:) #12 could be caught by exiscan if I
wanted to add additional acls but I prefer to catch the obvious
on the front end and let MS handle the in depth checks on the
back end. I guess the answer is yes, it's possible to stop them
all, depending upon your MS configuration local policies
regarding files ending with CLSID, password protected archives
and fragmented messages.



More information about the MailScanner mailing list