Password Protected Archives
Derek Buttineau
derek at csolve.net
Fri Oct 22 14:12:27 IST 2010
I worked around the PPA change in config (basically disallowed them if virus scanning is enabled but allowed them if vice versa), however I've uncovered another change/issue.
It appears that as long as there is a virus scanner defined, the message is being scanned for viruses regardless of the setting of Virus Scanning, though when Virus Scanning is set to no there is no action taken, but the message is still passed through the virus engine. This doesn't seem right.
For example, here are logs from the same message split into individual queue messages by recipient:
Virus Scanning on (correct behaviour):
Oct 22 08:48:18 minasithil mailguard_splitter[1163]: Split 1P9H2f-000Bfy-9I S=Test 2010-10-22 Text File Eicar Test #5 NO VScan from <lock at csolve.net> into 1P9H2g-0000Il-97 H=mail.csolve.net[207.164.80.200] => derek at csolve.net
Oct 22 08:48:19 minasithil MailScanner[39911]: Clamd::INFECTED:: Eicar-Test-Signature :: ./1P9H2g-0000Il-97/eicar.txt
Oct 22 08:48:19 minasithil MailScanner[39911]: Infected message 1P9H2g-0000Il-97 came from 207.164.80.200
Oct 22 08:48:19 minasithil MailScanner[39911]: Saved entire message to /var/spool/MailScanner/quarantine/20101022/1P9H2g-0000Il-97
Oct 22 08:48:19 minasithil MailScanner[39911]: Saved infected "eicar.txt" to /var/spool/MailScanner/quarantine/20101022/1P9H2g-0000Il-97
Virus Scanning off (weird behaviour):
Oct 22 08:48:18 minasithil mailguard_splitter[1163]: Split 1P9H2f-000Bfy-9I S=Test 2010-10-22 Text File Eicar Test #5 NO VScan from <lock at csolve.net> into 1P9H2g-0000Il-96 H=mail.csolve.net[207.164.80.200] => test at csolve.net
Oct 22 08:48:19 minasithil MailScanner[39911]: Clamd::INFECTED:: Eicar-Test-Signature :: ./1P9H2g-0000Il-96/eicar.txt
Oct 22 08:48:20 minasithil MailScanner[39911]: Message 1P9H2g-0000Il-96 from 207.164.80.200 (lock at csolve.net) to csolve.net is not spam, SpamAssassin (not cached, score=-3.01, required 0, autolearn=disabled, ALL_TRUSTED -4.00, NO_REAL_NAME 1.00, T_RP_MATCHES_RCVD -0.01)
Oct 22 08:48:20 minasithil exim.out[44903]: 1P9H2g-0000Il-96 => test at csolve.net R=mailertable_router T=remote_smtp H=mail.csolve.net [207.164.80.200]
Oct 22 08:48:20 minasithil exim.out[44903]: 1P9H2g-0000Il-96 Completed
Message still comes through fine, but it shouldn't have been passed to ClamD. Will see if I can figure out what's causing that.
Derek
On 2010-10-22, at 7:42 AM, Derek Buttineau wrote:
> I used to be attached to Virus Scanning = yes/no for this particular reason, if you weren't scanning for viruses, it didn't really matter if there was a password protected archive or not.
>
> With this latest updated, even if Virus Scanning = no it'll still stop password protected zips if Allow Password-Protected Archives = no.
>
> I can work around that with a rule set, but it's definitely been changed.
>
> Derek
>
> On 2010-10-21, at 6:37 PM, Scott Silva wrote:
>
>> I believe it was always supposed to work this way... Maybe it was broken
>> before. It wouldn't have any bearing on virus scanning because a virus scanner
>> can't scan inside them anyway, and never could.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list