MailScanner is ignoring some ClamAV 'viruses' from NDB signaturedatabases

Kash, Howard (Civ, ARL/CISD) hmkash at arl.army.mil
Wed Feb 21 02:08:31 CET 2007 

I've reported the same problem multiple times before with McAfee (both on list an in private):
 
http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261.html
 
Seems that if a silent virus is only detected in the .header file and not in the attachment itself, it is not properly flagged as silent.  This becomes much more prevalent if you set "Max Spam Check Size" to a relatively low value (say 150k) since larger virus emails which are typically also blocked as spam start getting through (the virus doesn't get through, but the disinfected message does, even though it should have been dropped as a silent virus).
 
 
Howard
 

________________________________

From: mailscanner-bounces at lists.mailscanner.info on behalf of Quentin Campbell
Sent: Tue 2/20/2007 3:50 AM
To: MailScanner discussion
Subject: MailScanner is ignoring some ClamAV 'viruses' from NDB signaturedatabases



I recently started using some of the extra .NDB/.HDB signature databases
for ClamAV from Sanesecurity - http://www.sanesecurity.com/clamav/.

In some cases MailScanner is recognising a 'virus' detected by these but
is still delivering the message rather than dropping it silently. All
the log entries for messages behaving this way appear to have a
corrupted path name in the virus "FOUND" log record from MailScanner:

Feb 20 08:00:07 cheviot1 MailScanner[26921]:
/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
Email.Spam.Gen103.Sanesecurity.07011703 FOUND

[the faulty part above is "/l1K7xWrE017195.header:"]

The "...MailScanner[12345]: Infected message..." log record also appears
to be corrupt and has lost information:

Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
l1K7xWrE017195.header came from

[missing the IP address after the "from"]

A correctly formed virus "FOUND" log record from MailScanner should look
like:

Feb 20 08:26:45 cheviot1 MailScanner[27169]:
/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-27169-879.htm
l: Html.Img.Gen013.Sanesecurity.06112900 FOUND

and the "...MailScanner[12345]: Infected message..." log record should
look like:

Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
l1K8QOTB029479 came from 77.124.14.204

The fault occurs with MailScanner-4.57.6-1 running with either
ClamAV-0.87.7 or ClamAV-0.90.

Appended are the full set of log records for: (1) a message whose
handling shows the bug, and (2) a message whose handling was as
expected.

Quentin Campbell
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           Newcastle University,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------


---- extracts from the Sendmail logs

Below are the log records for a 'virus' message that should have been
dropped silently:

Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
from=<kapprentice at sbcglobal.net>, size=1500, class=0, nrcpts=1,
msgid=<432422272.75323578912331 at thebat.net>, proto=ESMTP, daemon=MTA,
relay=BT-LOADED-PPP15.BTI.NET.PH [203.115.176.15] (may be forged)
Feb 20 07:59:49 cheviot1 sendmail[17195]: l1K7xWrE017195:
to=<XXX.YYY at ncl.ac.uk>, delay=00:00:04, mailer=esmtp, pri=31500,
stat=queued
Feb 20 07:59:57 cheviot1 MailScanner[26921]: Message l1K7xWrE017195 from
203.115.176.15 (kapprentice at sbcglobal.net) to ncl.ac.uk is spam,
SpamAssassin (not cached, score=6.732, required 6, autolearn=disabled,
DATE_IN_PAST_96_XX 1.57, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, SARE_LWHUGE 1.00,
SARE_LWSYMFMT 1.66)
Feb 20 08:00:04 cheviot1 MailScanner[26921]: Spam Actions: message
l1K7xWrE017195 actions are attachment,deliver
Feb 20 08:00:07 cheviot1 MailScanner[26921]:
/var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
Email.Spam.Gen103.Sanesecurity.07011703 FOUND
Feb 20 08:00:08 cheviot1 MailScanner[26921]: Infected message
l1K7xWrE017195.header came from
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: SMTP outgoing
connect on cheviot1.ncl.ac.uk
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195:
to=<XXX.YYY at ncl.ac.uk>, delay=00:00:23, xdelay=00:00:00, mailer=esmtp,
pri=121500, relay=cyrus.ncl.ac.uk. [128.240.233.238], dsn=2.0.0,
stat=Sent (l1K808jg011667 Message accepted for delivery)
Feb 20 08:00:08 cheviot1 sendmail[17500]: l1K7xWrE017195: done;
delay=00:00:23, ntries=1

----

Below are the log records for a 'virus' message that was correctly
handled:

Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
from=<l.a.hogarth at ncl.ac.uk>, size=13226, class=0, nrcpts=1,
msgid=<000901c754c8$cdeb22c0$017fe9fc at usyvimkq>, proto=ESMTP,
daemon=MTA, relay=IGLD-77-124-14-204.inter.net.il [77.124.14.204] (may
be forged)
Feb 20 08:26:31 cheviot1 sendmail[29479]: l1K8QOTB029479:
to=<AAA.BBB at ncl.ac.uk>, delay=00:00:02, mailer=esmtp, pri=43226,
stat=queued
Feb 20 08:26:33 cheviot1 MailScanner[27169]: Message l1K8QOTB029479 from
77.124.14.204 (AAA.BBB at ncl.ac.uk) is whitelisted
Feb 20 08:26:45 cheviot1 MailScanner[27169]:
/var/spool/MailScanner/incoming/27169/./l1K8QOTB029479/msg-27169-879.htm
l: Html.Img.Gen013.Sanesecurity.06112900 FOUND
Feb 20 08:26:46 cheviot1 MailScanner[27169]: Infected message
l1K8QOTB029479 came from 77.124.14.204
Feb 20 08:26:46 cheviot1 MailScanner[27169]: HTML Img tag found in
message l1K8QOTB029479 from AAA.BBB at ncl.ac.uk
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list