ClamAV and MailScanner Bug

Rick Cooper rcooper at DWFORD.COM
Thu May 5 00:35:15 IST 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Wednesday, May 04, 2005 3:33 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
>
> Chris Stone wrote:
>
> >On Wednesday 04 May 2005 02:04 am, Julian Field wrote:
> >
> >
> >>On 4 May 2005, at 00:16, Chris Stone wrote:
> >>
> >>
> >>>I am seeing problems under OSX:
> >>>
> >>>May  3 18:56:29 g5
> >>>MailScanner[1898]: /private/var/spool/MailScanner/incoming/
> >>>1898/./9F050BA0A85C/error-mail_info.zip:
> >>>Worm.Sober.P FOUND
> >>>May  3 18:56:29 g5 MailScanner[1898]: Virus Scanning: ClamAV found 1
> >>>infections
> >>>May  3 18:56:30 g5 MailScanner[1898]: Virus Scanning completed at
> >>>37432 bytes
> >>>per second
> >>>May  3 18:56:30 g5 MailScanner[1898]: Requeue: 9F050BA0A85C to
> >>>C3AB7BA0A920
> >>>May  3 18:56:30 g5 MailScanner[1898]: Uninfected: Delivered 1 messages
> >>>May  3 18:56:30 g5 MailScanner[1898]: Virus Processing completed at
> >>>74864
> >>>bytes per second
> >>>May  3 18:56:30 g5 MailScanner[1898]: Disinfection completed at
> >>>74864 bytes
> >>>per second
> >>>Seems to only still deliver the Sober viruses - all the others are
> >>>caught as
> >>>above, but not delivered. This client is running MS 4.34.8 and
> >>>ClamAV 0.83.
> >>>Am going to have them update to the latest MS stable release and
> >>>see if they
> >>>still have this issue.
> >>>
> >>>
> >>Can someone send me one of the troublesome messages please?
> >>Easiest way is to put it on the web and mail me the URL.
> >>
> >>
> >
> >I'll see if I can get one and do that. Since MS is not blocking
> them, I don't
> >have the full messages on the server to pull -  only the headers (using
> >MailWatch).
> >
> >But, while other viruses are being properly blocked by MS, it's
> only these
> >Worm.Sober.P viruses that ClamAV is detecting, MS is seeing
> that, but stating
> >it's disinfected and queuing it up for delivery.
> >
> >
> Aha! It's only the Worm.Sober.P viruses that are causing the problem.
> That's useful news.
> If you can get one, please do send it to me.
>

It seems to me it's got to be related to the format of the file name, It
appears that MS removes the redundant spaces between the .txt and .exe|.pif
when it creates the safe name. Is there a place in the code where the safe
name and the actual name might get mixed up resulting in xxxx.txt.exe and
xxxx.txt       .exe being compared?

These are also zip files... does $zip->extractMemberWithoutPaths($member,
$safename) gracefully handle a filename with spaces in it? since member will
be xxx.txt                 .exe|.pif? If that failed the a zero byte file
would be created and the file passed by clam.

I recall someone was catching these with filename rules rather than clam

We have been catching Worm.Sober.P at the gateway with exim/exiscan/clamscan
before it even gets to MailScanner, so I doubt the cause is clam it's self.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list