Norman Sandbox and MailScanner
Sjakie
sjakie07 at chello.nl
Tue Jul 11 00:09:23 IST 2006
I use MailScanner with Norman Virus Control.
Norman has it's Sandbox feature which is able to find virussen not in the
definition files.
see: http://sandbox.norman.no/
When i send the eicar test file, MailScanner will detect a virus.
When i send a real virus (Trojan.Brepibot.V) not detected by Norman (because
for this test i use older definition files),
but which is detected by Norman Sandbox (as W32/Malware),
MailScanner does not detect any virus.
Any ideas?
Thanks
Norman logfiles:
======== Norman Log with Eicar =====
NVCC Command Line Scanner 5.70.01
NSE revision 5.90.21
nvcbin.def revision 5.90 of 2006/06/16 (65535 variants)
nvcmacro.def revision 5.90 of 2006/06/09 (15237 variants)
Total number of variants: 80772
Command line: "-c -sb:1 -s -u . "
* Could not unpack archive
/var/spool/MailScanner/incoming/2809/./k5GCNblP002862.header: .
*** Possible virus found ***
*** /var/spool/MailScanner/incoming/2809/./k5GCNblP002862/eicar.com -> Virus
EICAR_Test_file_not_a_virus! ()
*** /var/spool/MailScanner/incoming/2809/./k5GCNblP002862/eicar_com.zip :
eicar.com -> Virus EICAR_Test_file_not_a_virus! ()
The scanning started: 2006/06/16 12:23:39
ended: 2006/06/16 12:23:39
Logged on as : root
on hostname : test
Scanning results:
Total number of files found..............................: 6
Number of files scanned..................................: 6
Number of files/directories skipped due to exclude list..: 0
Number of files that could not be opened.................: 0
Number of archive files unpacked.........................: 1
Number of archive files not unpacked.....................: 1
Number of infections.....................................: 2
Copyright (c) 1993-2004 Norman ASA.
======== Norman Log with Trojan.Brepibot.V (sandbox) =====
NVCC Command Line Scanner 5.70.01
NSE revision 5.90.21
nvcbin.def revision 5.90 of 2006/06/16 (65535 variants)
nvcmacro.def revision 5.90 of 2006/06/09 (15237 variants)
Total number of variants: 80772
Command line: "-c -sb:1 -s -u . "
* Could not unpack archive
/var/spool/MailScanner/incoming/2809/./k5GCKjiv002811.header: .
*** Possible virus found ***
*** /var/spool/MailScanner/incoming/2809/./k5GCKjiv002811/Photo and
Article.exe -> Virus W32/Malware ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing PEC2.
* File length: 12800 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\svchon32.exe.
* Creates file C:\WINDOWS\TEMP\175.bat.
* Creates file C:\WINDOWS\TEMP\240.bat.
[ Changes to registry ]
* Creates value "ProtocolModuleCmd"="svchon32.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "ProtocolModuleCmd"="svchon32.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Connects to "24.3.168.130" on port 8080 (TCP).
* Connects to IRC Server.
* IRC: Uses nickname [0000-X2]cuybcycf.
* IRC: Uses username hotumwwao.
* IRC: Joins channel #65.
* IRC: Sets the channel mode for channel #65 to +stnk.
* IRC: Talks in channel #65.
* Connects to "67.164.54.64" on port 8080 (TCP).
[ Process/window information ]
* Enumerates running processes.
* Attemps to open C:\WINDOWS\TEMP\\175.bat NULL.
* Attemps to open C:\WINDOWS\SYSTEM32\svchon32.exe NULL.
* Attemps to open C:\WINDOWS\TEMP\\240.bat NULL.
* Enumerates running processes several parses....
* Creates a mutex svchon32.exe.
* Will automatically restart after boot (I'll be back...).
)
*** /var/spool/MailScanner/incoming/2809/./k5GCKjiv002811/article.zip :
Photo and Article.exe -> Virus W32/Malware ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing PEC2.
* File length: 12800 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\svchon32.exe.
* Creates file C:\WINDOWS\TEMP\175.bat.
* Creates file C:\WINDOWS\TEMP\240.bat.
[ Changes to registry ]
* Creates value "ProtocolModuleCmd"="svchon32.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "ProtocolModuleCmd"="svchon32.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Connects to "24.3.168.130" on port 8080 (TCP).
* Connects to IRC Server.
* IRC: Uses nickname [0000-X2]cuybcycf.
* IRC: Uses username hotumwwao.
* IRC: Joins channel #65.
* IRC: Sets the channel mode for channel #65 to +stnk.
* IRC: Talks in channel #65.
* Connects to "67.164.54.64" on port 8080 (TCP).
[ Process/window information ]
* Enumerates running processes.
* Attemps to open C:\WINDOWS\TEMP\\175.bat NULL.
* Attemps to open C:\WINDOWS\SYSTEM32\svchon32.exe NULL.
* Attemps to open C:\WINDOWS\TEMP\\240.bat NULL.
* Enumerates running processes several parses....
* Creates a mutex svchon32.exe.
* Will automatically restart after boot (I'll be back...).
)
The scanning started: 2006/06/16 12:20:48
ended: 2006/06/16 12:20:55
Logged on as : root
on hostname : test
Scanning results:
Total number of files found..............................: 6
Number of files scanned..................................: 6
Number of files/directories skipped due to exclude list..: 0
Number of files that could not be opened.................: 0
Number of archive files unpacked.........................: 1
Number of archive files not unpacked.....................: 1
Number of infections.....................................: 2
Copyright (c) 1993-2004 Norman ASA.
===============================================
More information about the MailScanner
mailing list