zero byte exe files filling quarantine, help!!
Denis Beauchemin
Denis.Beauchemin at USherbrooke.ca
Tue Jan 30 16:34:51 CET 2007
Drew Marshall a écrit :
> On Tue, January 30, 2007 14:28, Jeff A. Earickson wrote:
>
>> Gang,
>>
>> I'm running beta version 4.58.7, and I've noticed this morning that a
>>
> ton of stuff is getting dumped into my MailScanner quarantine
>
>> directory. Everything that ends up there is a zero-byte exe
>> file like "postcard.exe" or "Greeting Card.exe" (virus?), that
>> generates a quarantine message back to the sender. These quarantine
>>
> message will make MailScanner look **bad**. Version 4.57.7 does this
> too. Running sophos 4.14 and the latest clam.
>
>> The only quick fix I could think of was to change "Quarantine
>>
> Infections"
>
>> from yes to no. Anybody else seeing this issue??
>>
>
> I found this issue a while a go and Jason Desai was able to provide a fix:
>
> ---- Quote ----
> Sorry for the late reply - still catching up on the list. I just dealt
> with this recently. Here's what I did. I modified languages.conf,
> changing AttachmentTooSmall to be "Attachment is too small (too-small)".
> For completeness, I changed AttachmentTooLarge in the same way. Then I
> modified MailScanner.conf, and added "too-small" to the list of Silent
> Viruses. This seems to prevent notifications. You don't have to use
> "too-small", you could use some other string which has no spaces in
> AttachmentTooSmall and Silent Viruses.
>
> ----Quote Ends -----
>
> The small files then get treated like viruses rather than invalid file
> types so you can then play games with silent viruses and quarantine rule
> sets etc.
>
> HTH
>
> Drew
>
>
>
>
This looks interesting. I had already written an SA rule that seems to
catch most of them:
describe UDES_GREET01 Virus often with zero-byte file
full UDES_GREET01
/filename=\"(greeting|Flash)?\s*(post\s*)?card\.exe\"/i
score UDES_GREET01 50
Of course it will also match legit files with the same name... but
since I already block EXEs, the only difference will be that people will
not receive a notification about a quarantined EXE with these names.
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x62252 F: 819.821.8045
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070130/aaf0ab9a/smime.bin
More information about the MailScanner
mailing list