ClamAVModule and csv files in zip files

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Wed Apr 11 14:40:44 IST 2007 

Mick a écrit :
> Mick wrote:
>> Scott Silva wrote:
>>> Mick spake the following on 4/9/2007 3:55 AM:
>>>   
>>>> Hello.
>>>>
>>>> I am currently running MailScanner which uses the clamavmodule.  The
>>>> other day, I received 4 emails from ad-noreply at google.com and each of
>>>> these emails has a )non-password protected) zip file and contained
>>>> within each zip file was a file called report.csv.  However, MailScanner
>>>> quarantined them even though clamscan reports that none of the zip files
>>>> are infected.  Placing ad-no-reply at google.com in
>>>> /etc/MailScanner/rules/virus-scan.rules results in those zip files as
>>>> sent from ad-noreply at google.com now passing through unscanned but why
>>>> were the files quarantined in the first place when clamscan says that
>>>> they're uninfected?
>>>>
>>>> Thanks,
>>>> Mick.
>>>>     
>>> Did it say that they were password protected?
>>> Clamavmodule can also choke if they are over it's stated limit on how
>>> compressed the file is.
>>> Look in this area of conf;
>>>
>>> # ClamAVModule only: set limits when scanning for viruses.
>>> #
>>> # The maximum recursion level of archives,
>>> # The maximum number of files per batch,
>>> # The maximum file of each file,
>>> # The maximum compression ratio of archive.
>>> # These settings *cannot* be the filename of a ruleset, only a simple number.
>>> ClamAVmodule Maximum Recursion Level = 10
>>> ClamAVmodule Maximum Files = 1000
>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes)
>>> ClamAVmodule Maximum Compression Ratio = 950
>>>
>>>   
>> Hi Scott.
>>
>> Thanks for the reply.
>>
>>
>>> Did it say that they were password protected?
>>
>> No. They weren't password protected and they weren't reported by 
>> clamscan as being protected.
>>
>>
>> I actually work for a Web Hosting company and the control panel we 
>> use (much to my dismay) is Ensim and the version of MailScanner that 
>> is installed is the one that gets installed when Ensim is installed.  
>> As such, the version of MailScanner that we are currently using is 
>> 4.31.6-1 (and ClamAV 0.88.7)  and so it does not have any of those 
>> ClamAVModule directives that you have mentioned (I'll be upgrading 
>> both within the next week or so).
>>
>> Anyway, the compression ratio is approximately 80%, with the archive 
>> being just a bit smaller than what (Linux) zip 2.3 can do with zip -9.
>>
>>
>> Cheers.
>>
> Ok. A bit more info on this.  This is in MailScanner.conf:
>
> Maximum Archive Depth = 0
> Find Archives By Content = no
> Virus Scanners = clamavmodule
> Allow Password-Protected Archives = no
>
> and seeing as clamscan determined that the zip files contained no 
> viruses, I was curious to see if clamavmodule detected any viruses in 
> the zip files.
> So pinching the code snippet from `perldoc Mail::ClamAV' and replacing
>
>
> my $c = new Mail::ClamAV("/path/to/directory/or/file")
>
> with
>
> my $c = new Mail::ClamAV("/var/clamav/main.cvd")
>
>
> (and afterwards, trying again replacing main.cvd with daily.cvd),
>
>
> and also replacing
>
> my $status = $c->scan(FH, CL_SCAN_ARCHIVE|CL_SCAN_MAIL);
>
> with
>
> my $status = $c->scan("/tmp/report-csv.zip", 0);
>
>
> upon running the perl script, clamavmodule returns:
>
> No virus found!
>
>
> So why is MailScanner detecting them as being viruses and quarantining 
> them (unless I place the sender's address in virus-scan.rules as 
> previously described)?
>
> Cheers.
>
In SweepViruses.pm, you will see that MS calls Mail::ClamAV with the 
following options:
                               Mail::ClamAV::CL_SCAN_STDOPT() |
                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
                               Mail::ClamAV::CL_SCAN_PE() |
                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
                               Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
                               Mail::ClamAV::CL_SCAN_OLE2());

Retry your scan with:
my $status = $c->scan("/tmp/report-csv.zip", CL_SCAN_STDOPT | 
CL_SCAN_ARCHIVE | CL_SCAN_PE | CL_SCAN_BLOCKBROKEN | 
CL_SCAN_BLOCKENCRYPTED | CL_SCAN_OLE2);
and you should see the virus detected.

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/3eb16ce7/smime.bin

More information about the MailScanner mailing list