zero byte exe files filling quarantine, help!!
Jeff A. Earickson
jaearick at colby.edu
Tue Jan 30 16:14:32 CET 2007
On Tue, 30 Jan 2007, Drew Marshall wrote:
> Date: Tue, 30 Jan 2007 14:47:12 -0000 (UTC)
> From: Drew Marshall <drew at technologytiger.net>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: zero byte exe files filling quarantine, help!!
>
> On Tue, January 30, 2007 14:28, Jeff A. Earickson wrote:
>> Gang,
>>
>> I'm running beta version 4.58.7, and I've noticed this morning that a
> ton of stuff is getting dumped into my MailScanner quarantine
>> directory. Everything that ends up there is a zero-byte exe
>> file like "postcard.exe" or "Greeting Card.exe" (virus?), that
>> generates a quarantine message back to the sender. These quarantine
> message will make MailScanner look **bad**. Version 4.57.7 does this
> too. Running sophos 4.14 and the latest clam.
>>
>> The only quick fix I could think of was to change "Quarantine
> Infections"
>> from yes to no. Anybody else seeing this issue??
>
> I found this issue a while a go and Jason Desai was able to provide a fix:
>
> ---- Quote ----
> Sorry for the late reply - still catching up on the list. I just dealt
> with this recently. Here's what I did. I modified languages.conf,
> changing AttachmentTooSmall to be "Attachment is too small (too-small)".
> For completeness, I changed AttachmentTooLarge in the same way. Then I
> modified MailScanner.conf, and added "too-small" to the list of Silent
> Viruses. This seems to prevent notifications. You don't have to use
> "too-small", you could use some other string which has no spaces in
> AttachmentTooSmall and Silent Viruses.
>
> ----Quote Ends -----
>
> The small files then get treated like viruses rather than invalid file
> types so you can then play games with silent viruses and quarantine rule
> sets etc.
Tried this, didn't work, don't know why... Gleen Steen's mention of
"Notify Senders Of Blocked Filenames Or Filetypes" looks like a good
hack. I wrote a ruleset to notify internal users, but not external
ones. Testing this now...
Jeff Earickson
Colby College
More information about the MailScanner
mailing list