Maximum Archive Depth trouble
Tal Kelrich
tal at MUSICGENOME.COM
Mon May 10 16:22:26 IST 2004
Hello,
I'm having some problems with the current version of MailScanner(4.30.3).
MS seems to be unpacking beyond the value set in Maximum Archive Depth.
I have Maximum Archive Depth set to 1, a double packed (or triple packed) exe file will not pass.
I'm also seeing the "deeply nested archive" message for most zipped viruses.
Any help would be appreciated.
Thanks,
Tal Kelrich
Here's a log snippet for the double packed:
May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1 messages, 2402 bytes
May 10 13:55:50 mail MailScanner[6497]: Spam Checks: Starting
May 10 13:55:51 mail MailScanner[6497]: Files hidden in very deeply nested archive in i4AAtj706518
May 10 13:55:51 mail MailScanner[6497]: Filename Checks: Windows/DOS Executable (i4AAtj706518 test.exe)
May 10 13:55:51 mail MailScanner[6497]: Filetype Checks: No executables (i4AAtj706518 test.exe)
May 10 13:55:51 mail MailScanner[6497]: Other Checks: Found 2 problems
May 10 13:55:51 mail MailScanner[6497]: Saved entire message to /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
May 10 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip" to /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
May 10 13:55:51 mail MailScanner[6497]: Saved infected "test.exe" to /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
Here's one for the triple packed:
May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1 messages, 2538 bytes
May 10 13:32:50 mail MailScanner[2532]: Spam Checks: Starting
May 10 13:32:50 mail MailScanner[2532]: Files hidden in very deeply nested archive in i4AAWll03696
May 10 13:32:50 mail MailScanner[2532]: Virus and Content Scanning: Starting
May 10 13:32:50 mail MailScanner[2532]: Saved entire message to /var/spool/MailScanner/quarantine/20040510/i4AAWll03696
--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
Key Available at: http://www.hasturkun.com/pub.txt
----
Peers's Law: The solution to a problem changes the nature of the problem.
----
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040510/e1f358a1/attachment.bin
More information about the MailScanner
mailing list