Virus still being picked up an hour later

Dhawal Doshy dhawal at netmagicsolutions.com
Thu Jan 19 03:00:06 GMT 2006 

Jeff Mills wrote:
> Hi all,
> 
> I have a problem with mailscanner where it doesnt seem to be getting rid of a virus from the filesystem once its found.
> Heres an example:
> Below is the first instance.
> Jan 19 12:35:22 proxy2 MailScanner[27476]: /var/spool/MailScanner/incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
> 
> Sometimes (but not every time) mailscanner also picks up the bad filename.
> Jan 19 12:35:22 proxy2 MailScanner[27476]: Filename Checks: Possible MS-Dos program shortcut attack (6BCB544E5D5.ED322 eBook.PIF)
> 
> As of this moment, mailscanner is still picking up this same instance (1 hour later)
> Jan 19 13:35:04 proxy2 MailScanner[27476]: /var/spool/MailScanner/incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
> 
> Any idea why this might be happening?

This is precisely what i have been unsuccessfully trying to convey all 
evening to Julian.. somehow no else seemed to be in this situation..

Here's what i observed.. all files (even legit ones) continue to be 
lying in the MailScanner incoming directory (within their respective PID 
directory) and do NOT get deleted post batch processing.. as a result 
MailScanner keeps on checking them again and again..

I am at a loss to take it any forward, since i haven't slept all night 
long trying to figure out the reason.. :-(

- dhawal

> My mailscanner version:
> ?/opt/MailScanner/bin/MailScanner --version
> Running on
> Linux SMP PREEMPT Wed Nov 16 15:16:39 EST 2005 i686 Intel(R) Xeon(TM) CPU 2.00GHz GenuineIntel GNU/Linux
> This is Perl version 5.008007 (5.8.7)
> 
> This is MailScanner version 4.50.4
> Module versions are:
> 1.00    AnyDBM_File
> 1.14    Archive::Zip
> 1.04    Carp
> 1.119   Convert::BinHex
> 1.00    DirHandle
> 1.05    Fcntl
> 2.73    File::Basename
> 2.08    File::Copy
> 2.01    FileHandle
> 1.07    File::Path
> 0.16    File::Temp
> 1.29    HTML::Entities
> 3.45    HTML::Parser
> 2.30    HTML::TokeParser
> 1.21    IO
> 1.11    IO::File
> 1.123   IO::Pipe
> 1.50    Mail::Header
> 3.05    MIME::Base64
> 5.415   MIME::Decoder
> 5.415   MIME::Decoder::UU
> 5.415   MIME::Head
> 5.415   MIME::Parser
> 3.03    MIME::QuotedPrint
> 5.415   MIME::Tools
> 0.11    Net::CIDR
> 1.08    POSIX
> 1.77    Socket
> 0.06    Sys::Syslog
> 1.02    Time::localtime
> 
> Optional module versions are:
> 0.17    Convert::TNEF
> 1.814   DB_File
> 1.13    Digest
> 1.01    Digest::HMAC
> 2.33    Digest::MD5
> 2.10    Digest::SHA1
> missing Inline
> missing Mail::ClamAV
> 3.001000        Mail::SpamAssassin
> missing Mail::SPF::Query
> missing Net::CIDR::Lite
> 0.53    Net::DNS
> 0.32    Net::LDAP
> missing Parse::RecDescent
> missing SAVI
> missing Sys::Hostname::Long
> 2.42    Test::Harness
> 0.62    Test::Simple
> 1.95    Text::Balanced
> 1.35    URI

More information about the MailScanner mailing list