Why mailscanner fails recognizing a forwarded infected.

Mon Sep 6 11:10:01 IST 2004

On Monday 06 September 2004 11:44, you wrote:
> On Mon, 6 Sep 2004, Mirko Bovati wrote:
> > On Friday 03 September 2004 17:29, you wrote:
> >> Mirko Bovati wrote:
> >>> On Friday 03 September 2004 16:28, you wrote:
> >>>> Mirko
> >>>>
> >>>> do these scanners recognise the virus is called from the command line
> >>>> on the MS computer??
> >>>
> >>> hi Martin,
> >>>
> >>> The local antivirus who finds the virus is VisusScan 7.0 on a MS
> >>> computer. VirusScan doesn't clean the email. I forward the infected
> >>> email (and MailScanner say it is clean) and the recipient again find it
> >>> is infected.
> >>>
> >>> But, on another way, if I after receiving the infected email, I save
> >>> the attach (i.e. the virus) and I send a new email with the saved
> >>> attach attached, the MailScanner find the virus.
> >>>
> >>> I don't know if I answered your question.
> >>>
> >>> mirko
> >>
> >> Mirko
> >>
> >> OK are you keeping archive copies of the mails? If so what happens if
> >> you run the virus scanner on the infected message it misses - ie run the
> >> virus outside of MS control, from the command line, on the infected
> >> message.
> >
> > Running from command line on a linux box, uvscan misses the infected
> > messages. the same happens df/qf pair.
> >
> > So it seems e mcafee problem.
>
> Did you read/follow the part about not using any symlinks anywhere for
> mcafee? On some systems this causes mcafee to behave strange and not
> detect virii that it does properly find from the command line

I think yes:
[mirko at harey /usr/local/uvscan]$ ls -l
total 8448
-rw-rw-rw-  1 root root  416862 Sep  1 06:32 clean.dat
-r--r--r--  1 root root   12014 Sep  6 10:32 contact.txt
-r--r--r--  1 root root  971875 Sep  6 10:32 e4320upg.pdf
-rw-rw-rw-  1 root root     110 Sep  1 06:32 file_id.diz
-rw-rw-rw-  1 root root   12124 Oct 15  1998 internet.dat
lrwxrwxrwx  1 root root      15 Sep  6 10:32 liblnxfv.so -> ./liblnxfv.so.4
-r-xr-xr-x  1 root root 2664512 Sep  6 10:32 liblnxfv.so.4
-r--r--r--  1 root root    1056 Sep  6 10:32 license.dat
-r--r--r--  1 root root    1809 Sep  6 10:32 license.txt
-r--r--r--  1 root root   38154 Sep  6 10:32 messages.dat
-rw-rw-rw-  1 root root  499211 Sep  1 06:32 names.dat
-rw-rw-rw-  1 root root    1209 Sep  1 06:32 packing.lst
-rw-rw-rw-  1 root root     708 Sep  1 06:32 pkgdesc.ini
-rw-rw-rw-  1 root root   45921 Sep  1 06:32 readme.txt
-rw-rw-rw-  1 root root   12169 Sep  1 06:32 reseller.txt
-rw-rw-rw-  1 root root 3690590 Sep  1 06:32 scan.dat
-r--r--r--  1 root root    5546 Sep  6 10:32 signlic.txt
-r-xr-xr-x  1 root root    6302 Sep  6 10:32 uninstall-uvscan
-r-xr-xr-x  1 root root  127699 Sep  6 10:32 uvscan
-r--r--r--  1 root root   13422 Sep  6 10:32 uvscan.1
-r-xr-xr-x  1 root root     402 Sep  6 10:32 uvscan_secure
-rwxrwxrwx  1 root root   51200 Sep  1 06:32 validate.exe

I think the test below says uvscan in working properly. Does it?

[mirko at harey ~/tempo]$ ls
Conclusioni.zip  dfi82C4rD20713  forwarded-email  qfi82C4rD20713
[mirko at harey ~/tempo]$ uvscan --verbose /home/mirko/tempo
Scanning /home/mirko/tempo/*
Scanning file /home/mirko/tempo/dfi82C4rD20713
Scanning file /home/mirko/tempo/qfi82C4rD20713
Scanning file /home/mirko/tempo/Conclusioni.zip
/home/mirko/tempo/Conclusioni.zip
        Found the W32/Mabutu.a at MM!zip virus !!!
Scanning file /home/mirko/tempo/forwarded-email

Conclusioni.zip is the saved attachment.

mirko

> I used to have symlinks to my dat files and binary untill I got badly
> bitten....
>
> I decided to ditch mcafee completely but that's another subject :)

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).