Password Protected .rar files

Drew Marshall drew at technologytiger.net
Sat Apr 28 21:21:02 IST 2007 

On 28 Apr 2007, at 15:48, Alex Neuman van der Hans wrote:

> Drew Marshall wrote:
>> Hi all
>>
>> One of my clients has recently been sent a password protected rar  
>> file. The body of the mail is a gif image which uses social  
>> engineering (Based on the user having a virus and the attached  
>> file has the miracle cure) to open this file.
>>
>> This went sailing through MailScanner, passed F-Prot, Clam &  
>> Bitdefender and passed the option to not allow password protected  
>> archive files. I have checked my path to unrar, which is fine and  
>> all the other parameters are all ok too.
>>
> I believe it would help a lot if you sent along a log snippet  
> detailing the ingestion, digestion, and excretion (to put it in  
> biological terms) of this message.

Logs are:

Apr 28 21:10:59 mx1 MailScanner[64228]: MailScanner E-Mail Virus  
Scanner version 4.58.9 starting...
Apr 28 21:10:59 mx1 MailScanner[64228]: Read 766 hostnames from the  
phishing whitelist
Apr 28 21:11:00 mx1 MailScanner[64228]: Using SpamAssassin results cache
Apr 28 21:11:00 mx1 MailScanner[64228]: Connected to SpamAssassin  
cache database
Apr 28 21:11:10 mx1 MailScanner[64228]: I have found bitdefender f- 
prot clamav scanners installed, and will use them all by default
Apr 28 21:11:10 mx1 MailScanner[64228]: ClamAV scanner using unrar  
command /usr/local/bin/unrar
Apr 28 21:11:10 mx1 MailScanner[64228]: Using locktype = flock
Apr 28 21:11:10 mx1 MailScanner[64228]: New Batch: Scanning 1  
messages, 96537 bytes
Apr 28 21:11:10 mx1 MailScanner[64228]: Spam Checks: Starting
Apr 28 21:11:10 mx1 MailScanner[64228]: SpamAssassin cache hit for  
message 3244233C40.B1672
Apr 28 21:11:11 mx1 MailScanner[64228]: Virus and Content Scanning:  
Starting
Apr 28 21:11:43 mx1 MailScanner[64228]: Requeue: 8BF3933C9B.0C3E3 to  
B69D033CDA
Apr 28 21:11:43 mx1 MailScanner[64228]: Uninfected: Delivered 1 messages
Apr 28 21:11:43 mx1 MailScanner[64228]: MailScanner child dying of  
old age
Apr 28 21:11:43 mx1 postfix/qmgr[852]: B69D033CDA:  
from=<drew at technologytiger.net>, size=93454, nrcpt=1 (queue active)
Apr 28 21:11:43 mx1 postfix/virtual[65956]: B69D033CDA:  
to=<drew at technologytiger.net>, relay=virtual, delay=57,  
delays=57/0.05/0/0.
Apr 28 21:11:43 mx1 postfix/qmgr[852]: B69D033CDA: removed


>
> It also helps if you can reproduce the problem. Can you send the  
> rarfile through again?

Yes and I can send it to any one who fancies :-) or just put the  
files up for download, depending if they are of use.

> Same results?

Yes

> If so, try to turn on all logging features in MailScanner and copy  
> the relevant bits to the list ... I'm sure someone will be able to  
> help.

Here from debug mode (No point in debugging SA as that's not an issue!)

Starting mailscanner.
In Debugging mode, not forking...
max message size is '41000 trackback'
Line is ****-------------------------------1177790949--
****
Ignore errors about failing to find EOCD signature
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
format error: can't find EOCD signature
at /usr/local/sbin/mailscanner line 832
DisarmPhishingFound = 0 on message 8BF3933C9B.0C3E3
Stopping now as you are debugging me.


>
> You also have to make sure some easy-to-overlook things haven't  
> happened, such as "scan messages = no" triggered by a ruleset, your  
> MTA running by itself for whatever reason (instead of "in tandem"  
> with MailScanner), etc.

No such issue. FreeBSD here and that always starts the process  
separately for Postfix (Which suits me well!) and it's Postfix so no  
worries about by passing second instances and such like. No rulesets  
for file type scanning. so that should be ok.

Drew

-- 
In line with our policy, this message has been scanned 
for viruses and dangerous content by the Technology Tiger MailScanner.
Further information can be found at www.technologytiger.net/policy

Technology Tiger Limited is registered in Scotland with registration number: 310997
Registered Office 55-57 West High Street Inverurie AB51 3QQ

More information about the MailScanner mailing list