ZIP File problem

Julian Field mailscanner at ecs.soton.ac.uk
Tue Oct 19 23:59:03 IST 2004


<x-flowed>
At 18:31 19/10/2004, you wrote:
>Thought so. Strange thing: The VirusWarning message said only this:
>
>At Tue Oct 19 19:28:41 2004 the virus scanner said:
>    MailScanner: Executable DOS/Windows programs are dangerous in email
>(eicar.com)
>
>
>
>But the logfile shows that eicar _was_ detected and everything is fine:
>
>Oct 19 19:28:39 proxy MailScanner[23721]:
>[./1CJxmi-0008ip-GS/eicar_g0.zip] eicar.com: Infected: EICAR_Test_File
>[Libra]
>Oct 19 19:28:39 proxy MailScanner[23721]: Virus Scanning: F-Secure found
>virus EICAR_Test_File
>Oct 19 19:28:39 proxy MailScanner[23721]:
>[./1CJxmi-0008ip-GS/eicar_g0.zip] eicar.com: Infected: EICAR Test File
>[Orion]
>Oct 19 19:28:39 proxy MailScanner[23721]: Virus Scanning: F-Secure found
>virus EICAR Test File
>Oct 19 19:28:39 proxy MailScanner[23721]:
>[./1CJxmi-0008ip-GS/eicar_g0.zip] eicar.com: Infected: EICAR-Test-File
>[AVP]
>Oct 19 19:28:39 proxy MailScanner[23721]: Virus Scanning: F-Secure found
>virus EICAR-Test-File
>Oct 19 19:28:39 proxy MailScanner[23721]: Scan ended at Tue Oct 19
>19:28:39 2004
>Oct 19 19:28:39 proxy MailScanner[23721]: 5 files scanned
>Oct 19 19:28:39 proxy MailScanner[23721]: 1 file infected
>Oct 19 19:28:39 proxy MailScanner[23721]: Virus Scanning: F-Secure found
>1 infections
>Oct 19 19:28:40 proxy MailScanner[23721]:
>/1CJxmi-0008ip-GS/eicar_g0.zip/EICAR.COM        Found: EICAR test file
>NOT a virus.
>Oct 19 19:28:40 proxy MailScanner[23721]: Virus Scanning: McAfee found 1
>infections
>Oct 19 19:28:40 proxy MailScanner[23721]:
>/var/spool/MailScanner/incoming/23721/./1CJxmi-0008ip-GS/eicar_g0.zip:
>Eicar-Test-Signature FOUND
>Oct 19 19:28:40 proxy MailScanner[23721]: Virus Scanning: ClamAV found 1
>infections
>Oct 19 19:28:40 proxy MailScanner[23721]: ALERT: [Eicar-Test-Signature
>virus] ./1CJxmi-0008ip-GS/eicar_g0.zip -->
>  eicar.com <<< Contains code of the Eicar-Test-Signature virus
>
>
>Parsing problems?

It turns out the filename report for the child (eicar.com) was masking the
virus report from the parent (eicar_g0.zip). If the filename report is
removed, all the virus scanner reports appear.

So there wasn't any chance of the virus slipping through, it was just the
reporting that was going astray.

After about 4 hours on this, I have finally found it and fixed it. Took
some real digging, that one.
It will be in the next release.

Many thanks for reporting it.

Now I can go to bed :-)
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list