Virus still being picked up an hour later

[Julian Field]

-----BEGIN PGP SIGNED MESSAGE-----


On 19 Jan 2006, at 14:18, Jim Holland wrote:

> Hi
>
> On Thu, 19 Jan 2006, Dhawal Doshy wrote:
>
>>> I have a problem with mailscanner where it doesnt seem to be  
>>> getting rid of a virus from the filesystem once its found.
>>> Heres an example:
>>> Below is the first instance.
>>> Jan 19 12:35:22 proxy2 MailScanner[27476]: /var/spool/MailScanner/ 
>>> incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
>>>
>>> Sometimes (but not every time) mailscanner also picks up the bad  
>>> filename.
>>> Jan 19 12:35:22 proxy2 MailScanner[27476]: Filename Checks:  
>>> Possible MS-Dos program shortcut attack (6BCB544E5D5.ED322  
>>> eBook.PIF)
>>>
>>> As of this moment, mailscanner is still picking up this same  
>>> instance (1 hour later)
>>> Jan 19 13:35:04 proxy2 MailScanner[27476]: /var/spool/MailScanner/ 
>>> incoming/27476/./6BCB544E5D5.ED322/eBook.PIF: Worm.VB-8 FOUND
>>>
>>> Any idea why this might be happening?
>>
>> This is precisely what i have been unsuccessfully trying to convey  
>> all
>> evening to Julian.. somehow no else seemed to be in this situation..
>>
>> Here's what i observed.. all files (even legit ones) continue to be
>> lying in the MailScanner incoming directory (within their  
>> respective PID
>> directory) and do NOT get deleted post batch processing.. as a result
>> MailScanner keeps on checking them again and again..
>>
>> I am at a loss to take it any forward, since i haven't slept all  
>> night
>> long trying to figure out the reason.. :-(

Fixed in the latest beta. There was a typo in one file. I must have  
pressed something in vi by mistake and not noticed. Sorry about that.

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ8+pBPw32o+k+q+hAQF3Egf9GvhcnkAjek5hshcuh7OxBglAjJYykOrH
C3nvZ9Zl6bF0Lwt+kIPnoIMDMQnOirbask+g7zMlIjpE8bnW1u/CcLDTlLhTYvB0
UrA5cJHHyROjgmD+e4OQ28oMtxqf3Esc88w+BGdhjUD/l5ulcvp+AYcRD3KdXl6g
hfZ/AtfpMiafMXMsNX+QjQZfMB+2L8/SVQu+S7PP1bq6AmgSluLd3hp7+InndKtg
GPQlZw87Zl0GDFawg62R68mQ3ERKC8xBXvKYW6dWyDpdVvV6WQuuByt+Byf4k0rF
vsWrUkL5Ou8448s8f3fUenLLhNKQx0pDUdnIR9VzZBTHC3pCfXRTrA==
=X2ok
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.