Maximum Archive Depth trouble

Tal Kelrich tal at MUSICGENOME.COM
Mon May 10 16:38:07 IST 2004


On Mon, 10 May 2004 10:30:39 -0500
Alex Neuman <alex at nkpanama.com> wrote:

> Did you restart MailScanner so that the new setting would be picked up?
>
Yes, I did. It's actually been set that way for a longish time.
> Is your "file" command reporting the exes incorrectly?
file is working.
> In MailScanner.conf, what does your:
>
> File Command =
>
> .. look like?

File Command = /usr/bin/file

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Tal Kelrich
> Sent: Monday, May 10, 2004 10:22 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Maximum Archive Depth trouble
>
>
> Hello,
>
> I'm having some problems with the current version of MailScanner(4.30.3).
> MS seems to be unpacking beyond the value set in Maximum Archive Depth.
>
> I have Maximum Archive Depth set to 1, a double packed (or triple packed)
> exe file will not pass.
>
> I'm also seeing the "deeply nested archive" message for most zipped
> viruses.
>
> Any help would be appreciated.
>
> Thanks,
>         Tal Kelrich
>
>
> Here's a log snippet for the double packed:
>
> May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1 messages,
> 2402 bytes May 10 13:55:50 mail MailScanner[6497]: Spam Checks: Starting
> May 10 13:55:51 mail MailScanner[6497]: Files hidden in very deeply nested
> archive in i4AAtj706518 May 10 13:55:51 mail MailScanner[6497]: Filename
> Checks: Windows/DOS Executable (i4AAtj706518 test.exe) May 10 13:55:51
> mail MailScanner[6497]: Filetype Checks: No executables (i4AAtj706518
> test.exe) May 10 13:55:51 mail MailScanner[6497]: Other Checks: Found 2
> problems May 10 13:55:51 mail MailScanner[6497]: Saved entire message to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> May 10 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip" to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> May 10 13:55:51 mail MailScanner[6497]: Saved infected "test.exe" to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
>
> Here's one for the triple packed:
>
> May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1 messages,
> 2538 bytes May 10 13:32:50 mail MailScanner[2532]: Spam Checks: Starting
> May 10 13:32:50 mail MailScanner[2532]: Files hidden in very deeply nested
> archive in i4AAWll03696 May 10 13:32:50 mail MailScanner[2532]: Virus and
> Content Scanning: Starting May 10 13:32:50 mail MailScanner[2532]: Saved
> entire message to /var/spool/MailScanner/quarantine/20040510/i4AAWll03696



--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69
Key Available at: http://www.hasturkun.com/pub.txt
----
Under every stone lurks a politician. -- Aristophanes
----

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040510/0ed99c7e/attachment.bin


More information about the MailScanner mailing list