stopping clamav detecting encrypted zip files
Tony Canning
tonyc at foe.co.uk
Fri Apr 20 16:52:21 IST 2007
Hi, I've been following this thread with interest as I still haven't solved this problem on my network, as posted previously (see below). I have allowed encrypted messages in MailScanner.conf, and disabled everything I can find which might be blocking them, but we still can't send or receive password-protected zip files unless I bypass mailscanner completely.. if anyone can suggest anything further it would be appreciated..
thanks
Tony Canning
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info on behalf of Tony
Canning [tonyc at foe.co.uk]
Sent: 15 March 2007 12:10
To: mailscanner at lists.mailscanner.info
Subject: RE: Problem with password protected spreadsheets
>>Tony Canning wrote:
>> I have a problem which is upsetting several of our network users - password protected excel (.xls) files are not delivered, in-bound or out-bound.
>>
>> I am using MailScanner-4.57.6, with Sophos, ClamAV & Spamassassin under Solaris.
>> Here is a sample of the problem from the system log:
>>
>> Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: ClamAV
>> found 1 infections Mar 13 17:03:31 localhost MailScanner[6078]:
>> Infected message l2DH2wid008740 came from 172.16.1.13 Mar 13 17:03:31
>> localhost MailScanner[6078]: Virus Scanning: Found 1 viruses Mar 13
>> 17:03:31 localhost MailScanner[6078]: <A> tag found in message
>> l2DH2wid008740 from v.harwood-smart at foe.co.uk Mar 13 17:03:31
>> localhost MailScanner[6078]: Virus Scanning completed at 959 bytes
>> per second Mar 13 17:03:31 localhost MailScanner[6078]: Viruses
>> marked as
>> silent: Password protected file ./l2DH2wid008740/rolling phone
>> upgrade gift aid decs.zip/rolling phone upgrade gift aid decs.txt
>>
>> It appears from the above that ClamAV is treating it as false positive virus?
>That's not a password protected XLS, it's a password protected .zip file containing a .txt file.
Yes, you're right of course from the example I provided - here is the same thing happening with a spreadsheet:
Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: ClamAV found 1 infections Mar 8 10:01:59 localhost MailScanner[25266]: Infected message l28A1aid025590 came from 172.16.1.13 Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: Found 1 viruses Mar 8 10:01:59 localhost MailScanner[25266]: <A> tag found in message l28A1aid025590 from v.harwood-smart at foe.co.uk Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning completed at 24252 bytes per second Mar 8 10:01:59 localhost MailScanner[25266]: Viruses marked as silent: Password protected file ./l28A1aid025590/Rolling Phone Upgrade Data Output.xls
>> I have the following parameters configured:
>>
>> Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses
>> = no Block Encrypted Messages = no Allow Password-Protected Archives
>> = yes Allowed Sophos Error Messages = "File was encrypted"
>>
>From the looks of it, you're using clamav, not clamavmodule.
do you have the "block-encrypted" option in /usr/lib/MailScanner/clamav-wrapper?
--
No, there is no entry relating the encryption at all.
Thanks
Tony
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
More information about the MailScanner
mailing list