ClamAV and MailScanner Bug

Stephen Swaney steve.swaney at FSL.COM
Wed May 4 23:00:16 IST 2005 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Raymond Dijkxhoorn
> Sent: Wednesday, May 04, 2005 5:49 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> Hi!
>
> >> Aha! It's only the Worm.Sober.P viruses that are causing the problem.
> >> That's useful news.
> >> If you can get one, please do send it to me.
>
> > I just tried it with 2 Worm.Sober.P messages from my own servers, and
> > neither of them caused any problem whatsoever. Both caught just fine.
> > Worked with Maximum Archive Depth = 0 and with = 2.

We are stopping thousands of these but we're sometimes seeing part of the
zipped payload getting through. The infected file appears to contain three
attachments:

May  4 16:27:57 www1 MailScanner[6604]: Saved infected "error-mail_info.zip"
to /var/spool/MailScanner/quarantine/20050504/j44LRpb2006726
May  4 16:27:57 www1 MailScanner[6604]: Saved infected
"Winzipped-Text_Data.txt           .pif" to
/var/spool/MailScanner/quarantine/20050504/j44LRpb2006726
May  4 16:27:57 www1 MailScanner[6604]: Saved infected
"Winzipped-Text_Data.txt           .exe" to

Sometimes only the one file: Winzipped-Text_Data.txt           .exe" appears
to be delivered. The PC version of BitDefender has caught three today that
were delivered.

BTW - The "real" filename appears to be:
Winzipped-Text_Data.txt\ \ \ \ \ \ \ \ \ \ \ .exe"

Any one else seeing this behavior?

Steve

Steve Swaney
President
Fortress Systems Ltd.
www.fsl.com
steve.swaney at fsl.com

>
> What we have seen is we also saw zips pass, but they were actually
> replaced crap by other virus scanners. Telling stuff like 'virus removed
> by blah blah blah'. Isnt this what the guy is seeing also?
>
> That new Sobig is cool, highest peak ever on one of our clusters 3.800.000
> rejects ;)
>
> Bye,
> Raymond.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list