Why mailscanner fails recognizing a forwarded infected.

Mirko Bovati bovati at MONDADORI.COM
Mon Sep 6 12:39:13 IST 2004 

On Monday 06 September 2004 12:26, you wrote:
> On Mon, 6 Sep 2004, Mirko Bovati wrote:
> > On Monday 06 September 2004 11:44, you wrote:
> >> On Mon, 6 Sep 2004, Mirko Bovati wrote:
> >>> On Friday 03 September 2004 17:29, you wrote:
> >>>> Mirko Bovati wrote:
> >>>>> On Friday 03 September 2004 16:28, you wrote:
> >>>>>> Mirko
> >>>>>>
> >>>>>> do these scanners recognise the virus is called from the command
> >>>>>> line on the MS computer??
> >>>>>
> >>>>> hi Martin,
> >>>>>
> >>>>> The local antivirus who finds the virus is VisusScan 7.0 on a MS
> >>>>> computer. VirusScan doesn't clean the email. I forward the infected
> >>>>> email (and MailScanner say it is clean) and the recipient again find
> >>>>> it is infected.
> >>>>>
> >>>>> But, on another way, if I after receiving the infected email, I save
> >>>>> the attach (i.e. the virus) and I send a new email with the saved
> >>>>> attach attached, the MailScanner find the virus.
> >>>>>
> >>>>> I don't know if I answered your question.
> >>>>>
> >>>>> mirko
> >>>>
> >>>> Mirko
> >>>>
> >>>> OK are you keeping archive copies of the mails? If so what happens if
> >>>> you run the virus scanner on the infected message it misses - ie run
> >>>> the virus outside of MS control, from the command line, on the
> >>>> infected message.
> >>>
> >>> Running from command line on a linux box, uvscan misses the infected
> >>> messages. the same happens df/qf pair.
> >>>
> >>> So it seems e mcafee problem.
> >>
> >> Did you read/follow the part about not using any symlinks anywhere for
> >> mcafee? On some systems this causes mcafee to behave strange and not
> >> detect virii that it does properly find from the command line
> >
> > I think yes:
> > [mirko at harey /usr/local/uvscan]$ ls -l
> > total 8448
> > -rw-rw-rw-  1 root root  416862 Sep  1 06:32 clean.dat
> > -r--r--r--  1 root root   12014 Sep  6 10:32 contact.txt
> > -r--r--r--  1 root root  971875 Sep  6 10:32 e4320upg.pdf
> > -rw-rw-rw-  1 root root     110 Sep  1 06:32 file_id.diz
> > -rw-rw-rw-  1 root root   12124 Oct 15  1998 internet.dat
> > lrwxrwxrwx  1 root root      15 Sep  6 10:32 liblnxfv.so ->
> > ./liblnxfv.so.4 -r-xr-xr-x  1 root root 2664512 Sep  6 10:32
> > liblnxfv.so.4
> > -r--r--r--  1 root root    1056 Sep  6 10:32 license.dat
> > -r--r--r--  1 root root    1809 Sep  6 10:32 license.txt
> > -r--r--r--  1 root root   38154 Sep  6 10:32 messages.dat
> > -rw-rw-rw-  1 root root  499211 Sep  1 06:32 names.dat
> > -rw-rw-rw-  1 root root    1209 Sep  1 06:32 packing.lst
> > -rw-rw-rw-  1 root root     708 Sep  1 06:32 pkgdesc.ini
> > -rw-rw-rw-  1 root root   45921 Sep  1 06:32 readme.txt
> > -rw-rw-rw-  1 root root   12169 Sep  1 06:32 reseller.txt
> > -rw-rw-rw-  1 root root 3690590 Sep  1 06:32 scan.dat
> > -r--r--r--  1 root root    5546 Sep  6 10:32 signlic.txt
> > -r-xr-xr-x  1 root root    6302 Sep  6 10:32 uninstall-uvscan
> > -r-xr-xr-x  1 root root  127699 Sep  6 10:32 uvscan
> > -r--r--r--  1 root root   13422 Sep  6 10:32 uvscan.1
> > -r-xr-xr-x  1 root root     402 Sep  6 10:32 uvscan_secure
> > -rwxrwxrwx  1 root root   51200 Sep  1 06:32 validate.exe
> >
> > I think the test below says uvscan in working properly. Does it?
> >
> > [mirko at harey ~/tempo]$ ls
> > Conclusioni.zip  dfi82C4rD20713  forwarded-email  qfi82C4rD20713
> > [mirko at harey ~/tempo]$ uvscan --verbose /home/mirko/tempo
> > Scanning /home/mirko/tempo/*
> > Scanning file /home/mirko/tempo/dfi82C4rD20713
> > Scanning file /home/mirko/tempo/qfi82C4rD20713
> > Scanning file /home/mirko/tempo/Conclusioni.zip
> > /home/mirko/tempo/Conclusioni.zip
> >        Found the W32/Mabutu.a at MM!zip virus !!!
> > Scanning file /home/mirko/tempo/forwarded-email
> >
> > Conclusioni.zip is the saved attachment.
>
> Yes indeed, that is exactly the behaviour from mcafee i was seeing too.
> When issued from the command line mcafee would properly detect the virus
> but would declare it 'virus free' when scanned from MailScanner.
>
> By the looks of it your mcafee directory is ok but this doesn't mean that
> there aren't any symlinks to these binaries elswhere on the box.

-- The look of the mcafee directory says that there aren't any symlinks to dat
files.
[mirko at harey ~]$ which uvscan
/usr/local/bin/uvscan
and this says there is not any symlink. isn't ?


-- The test scan on the directory /home/mirko/tempo above says that uvscan is
missing the virus, because "dfi82C4rD20713", "qfi82C4rD20713" are the
infected pair and "forwarded-email" is the email received after the forward
that I was spoken at the beginning.
That's I can understand.

I will send the sendmail' s pair to Nai and wait for news.
have you got any other hints?

thanks,
mirko

>
> I would check virus.scanners.conf to see from which location MailScanner
> is invoking mcafee. Also I would check if there are any symlinks to the
> dat files. If there are, replace the symlinks to the datfiles with
> the real dat files and try scanning from MailScanner again.
>
> > mirko
> >
> >> I used to have symlinks to my dat files and binary untill I got badly
> >> bitten....
> >>
> >> I decided to ditch mcafee completely but that's another subject :)
> >

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list