ClamAV and MailScanner Bug

Stephen Swaney steve.swaney at FSL.COM
Thu May 5 01:26:18 IST 2005 

> -----Original Message-----
> From: Stephen Swaney [mailto:steve.swaney at fsl.com]
> Sent: Wednesday, May 04, 2005 6:00 PM
> To: 'MailScanner mailing list'
> Subject: RE: ClamAV and MailScanner Bug
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > Behalf Of Raymond Dijkxhoorn
> > Sent: Wednesday, May 04, 2005 5:49 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: ClamAV and MailScanner Bug
> >
> > Hi!
> >
> > >> Aha! It's only the Worm.Sober.P viruses that are causing the problem.
> > >> That's useful news.
> > >> If you can get one, please do send it to me.
> >
> > > I just tried it with 2 Worm.Sober.P messages from my own servers, and
> > > neither of them caused any problem whatsoever. Both caught just fine.
> > > Worked with Maximum Archive Depth = 0 and with = 2.
>
> We are stopping thousands of these but we're sometimes seeing part of the
> zipped payload getting through. The infected file appears to contain three
> attachments:
>
> May  4 16:27:57 www1 MailScanner[6604]: Saved infected "error-
> mail_info.zip" to
> /var/spool/MailScanner/quarantine/20050504/j44LRpb2006726
> May  4 16:27:57 www1 MailScanner[6604]: Saved infected "Winzipped-
> Text_Data.txt           .pif" to
> /var/spool/MailScanner/quarantine/20050504/j44LRpb2006726
> May  4 16:27:57 www1 MailScanner[6604]: Saved infected "Winzipped-
> Text_Data.txt           .exe" to
>
> Sometimes only the one file: Winzipped-Text_Data.txt           .exe"
> appears to be delivered. The PC version of BitDefender has caught three
> today that were delivered.
>
> BTW - The "real" filename appears to be:
> Winzipped-Text_Data.txt\ \ \ \ \ \ \ \ \ \ \ .exe"
>
> Any one else seeing this behavior?
>

Never Mind :)

This is really so silly that I'm embarrassed. A client sent us the file:

"Winzipped-Text_Data.txt           .exe"

For analysis and I saved it to a network drive that is scanned by the PC
version of BitDefender.

And every time that BitDefender on the PC found the file it complained - in
a popup window - that it had just found an infected file. So I though we had
just gotten a email message that was infected :(

I see no problem with this virus slipping through MailScanner.

Live and learn - that's what makes job so exciting.

Steve

Steve Swaney
President
Fortress Systems Ltd.
Phone: 202 338-1670
Cell: 202 352-3262
www.fsl.com
steve.swaney at fsl.com


> Steve
>
> Steve Swaney
> President
> Fortress Systems Ltd.
> www.fsl.com
> steve.swaney at fsl.com
>
> >
> > What we have seen is we also saw zips pass, but they were actually
> > replaced crap by other virus scanners. Telling stuff like 'virus removed
> > by blah blah blah'. Isnt this what the guy is seeing also?
> >
> > That new Sobig is cool, highest peak ever on one of our clusters
> 3.800.000
> > rejects ;)
> >
> > Bye,
> > Raymond.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list