Maximum Archive Depth trouble

Alex Neuman alex at nkpanama.com
Mon May 10 16:30:39 IST 2004


Did you restart MailScanner so that the new setting would be picked up?

Is your "file" command reporting the exes incorrectly?

In MailScanner.conf, what does your:

File Command =

.. look like?

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Tal Kelrich
Sent: Monday, May 10, 2004 10:22 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Maximum Archive Depth trouble


Hello,

I'm having some problems with the current version of MailScanner(4.30.3).
MS seems to be unpacking beyond the value set in Maximum Archive Depth.

I have Maximum Archive Depth set to 1, a double packed (or triple packed)
exe file will not pass.

I'm also seeing the "deeply nested archive" message for most zipped
viruses.

Any help would be appreciated.

Thanks,
        Tal Kelrich


Here's a log snippet for the double packed:

May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1 messages,
2402 bytes May 10 13:55:50 mail MailScanner[6497]: Spam Checks: Starting
May 10 13:55:51 mail MailScanner[6497]: Files hidden in very deeply nested
archive in i4AAtj706518 May 10 13:55:51 mail MailScanner[6497]: Filename
Checks: Windows/DOS Executable (i4AAtj706518 test.exe) May 10 13:55:51
mail MailScanner[6497]: Filetype Checks: No executables (i4AAtj706518
test.exe) May 10 13:55:51 mail MailScanner[6497]: Other Checks: Found 2
problems May 10 13:55:51 mail MailScanner[6497]: Saved entire message to
/var/spool/MailScanner/quarantine/20040510/i4AAtj706518
May 10 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip" to
/var/spool/MailScanner/quarantine/20040510/i4AAtj706518
May 10 13:55:51 mail MailScanner[6497]: Saved infected "test.exe" to
/var/spool/MailScanner/quarantine/20040510/i4AAtj706518

Here's one for the triple packed:

May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1 messages,
2538 bytes May 10 13:32:50 mail MailScanner[2532]: Spam Checks: Starting
May 10 13:32:50 mail MailScanner[2532]: Files hidden in very deeply nested
archive in i4AAWll03696 May 10 13:32:50 mail MailScanner[2532]: Virus and
Content Scanning: Starting May 10 13:32:50 mail MailScanner[2532]: Saved
entire message to /var/spool/MailScanner/quarantine/20040510/i4AAWll03696

--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69 Key
Available at: http://www.hasturkun.com/pub.txt
----
Peers's Law: The solution to a problem changes the nature of the problem.
----

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3026 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040510/bb7b9a17/smime.bin


More information about the MailScanner mailing list