Maximum Archive Depth trouble

Alex Neuman alex at nkpanama.com
Mon May 10 16:43:58 IST 2004


Then your /usr/bin/file command is reporting the wrong thing. Try
disabling it by placing a # before the file command:

File Command = # /usr/bin/file

And see what that gets you. You lose the functionality of "knowing" what a
file is even if the extensions change.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Tal Kelrich
Sent: Monday, May 10, 2004 10:38 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Maximum Archive Depth trouble


On Mon, 10 May 2004 10:30:39 -0500
Alex Neuman <alex at nkpanama.com> wrote:

> Did you restart MailScanner so that the new setting would be picked
> up?
>
Yes, I did. It's actually been set that way for a longish time.
> Is your "file" command reporting the exes incorrectly?
file is working.
> In MailScanner.conf, what does your:
>
> File Command =
>
> .. look like?

File Command = /usr/bin/file

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Tal Kelrich
> Sent: Monday, May 10, 2004 10:22 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Maximum Archive Depth trouble
>
>
> Hello,
>
> I'm having some problems with the current version of
> MailScanner(4.30.3). MS seems to be unpacking beyond the value set in
> Maximum Archive Depth.
>
> I have Maximum Archive Depth set to 1, a double packed (or triple
> packed) exe file will not pass.
>
> I'm also seeing the "deeply nested archive" message for most zipped
> viruses.
>
> Any help would be appreciated.
>
> Thanks,
>         Tal Kelrich
>
>
> Here's a log snippet for the double packed:
>
> May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1
> messages, 2402 bytes May 10 13:55:50 mail MailScanner[6497]: Spam
> Checks: Starting May 10 13:55:51 mail MailScanner[6497]: Files hidden
> in very deeply nested archive in i4AAtj706518 May 10 13:55:51 mail
> MailScanner[6497]: Filename
> Checks: Windows/DOS Executable (i4AAtj706518 test.exe) May 10 13:55:51
> mail MailScanner[6497]: Filetype Checks: No executables (i4AAtj706518
> test.exe) May 10 13:55:51 mail MailScanner[6497]: Other Checks: Found 2
> problems May 10 13:55:51 mail MailScanner[6497]: Saved entire message to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> May 10 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip" to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> May 10 13:55:51 mail MailScanner[6497]: Saved infected "test.exe" to
> /var/spool/MailScanner/quarantine/20040510/i4AAtj706518
>
> Here's one for the triple packed:
>
> May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1
> messages, 2538 bytes May 10 13:32:50 mail MailScanner[2532]: Spam
> Checks: Starting May 10 13:32:50 mail MailScanner[2532]: Files hidden
> in very deeply nested archive in i4AAWll03696 May 10 13:32:50 mail
> MailScanner[2532]: Virus and Content Scanning: Starting May 10
> 13:32:50 mail MailScanner[2532]: Saved entire message to
> /var/spool/MailScanner/quarantine/20040510/i4AAWll03696



--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69 Key
Available at: http://www.hasturkun.com/pub.txt
----
Under every stone lurks a politician. -- Aristophanes
----

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3026 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040510/257f2739/smime.bin


More information about the MailScanner mailing list