Virus attachments not replaced with warning text

Wed Sep 1 15:38:01 IST 2010

On 26 August 2010 15:24, Steve <stratos.td at gmail.com> wrote:
>
> On 6 August 2010 11:59, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>>
>> I cannot reproduce your problem.
>> Please can you try the latest beta and see if it works there?
>
> A classic case of PEBKAC error ...
>
> I found that one of the spool directories did not have correct permissions set - it all seems to work fine now.

Maybe not...

The Eicar test ZIP file gets replaced with warning message just fine,
but I've just received a spam with a ZIP that was flagged with
{Virus?} but attachment was included.

I tested by sending myself 2 emails, one with Eicar test ZIP and one
with the ZIP from the spam - again first message has attachment
replaced, second one does not. Looking at the headers they are
slightly different:

Eicar test file:
---
Subject: {Virus?} Test
Content-Type: multipart/mixed;
 boundary="------------040802060109070101060608"
X-Scruffy-MailScanner-ID: 1Oqnw6-0007Mq-F5
X-Scruffy-MailScanner: Found to be infected
X-Scruffy-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-0.691, required 6, ALL_TRUSTED -1.80, BAYES_05 -1.11,
	TVD_SPACE_RATIO 2.22)
X-Scruffy-MailScanner-From: xxx at xxx.com
X-Scruffy-MailScanner-Watermark: 1283954731.23856 at ppFAGVQJ7im9oTW9bM+Pug
X-Spam-Status: No
---

Message with spam ZIP file (note that SpamCheck is blank):
---
Subject: {Virus?} Test
Content-Type: multipart/mixed;
 boundary="------------080203010100020401050702"
X-Scruffy-MailScanner-ID: 1Oqnv1-0007Lz-LX
X-Scruffy-MailScanner: Found to be infected
X-Scruffy-MailScanner-SpamCheck:
X-Scruffy-MailScanner-From: xxx at xxx.com
X-Scruffy-MailScanner-Watermark: 1283954665.75581 at F6qXL9D+LoY4rSmJxh/J+w
---

Looking at the syslog output it is also slightly different:

Eicar file:
---
Sep  1 15:05:31 scruffy MailScanner[27290]: New Batch: Scanning 1
messages, 1909 bytes
Sep  1 15:05:31 scruffy MailScanner[27290]: Virus and Content Scanning: Starting
Sep  1 15:05:36 scruffy MailScanner[27290]:
./1Oqnw6-0007Mq-F5/eicarcom2.zip: Eicar-Test-Signature FOUND
Sep  1 15:05:36 scruffy MailScanner[27290]: Virus Scanning: ClamAV
found 1 infections
Sep  1 15:05:36 scruffy MailScanner[27290]: Infected message
1Oqnw6-0007Mq-F5 came from 1.2.3.4
Sep  1 15:05:36 scruffy MailScanner[27290]: Virus Scanning: Found 1 viruses
Sep  1 15:05:36 scruffy MailScanner[27290]: Saved infected
"eicarcom2.zip" to
/var/spool/MailScanner/quarantine/20100901/1Oqnw6-0007Mq-F5
Sep  1 15:05:39 scruffy MailScanner[27290]: Cleaned: Delivered 1
cleaned messages

Message with spam ZIP file
---
Sep  1 15:04:26 scruffy MailScanner[26910]: Virus and Content Scanning: Starting
Sep  1 15:04:30 scruffy MailScanner[26910]:
./1Oqnv1-0007Lz-LX/Postal_Label_NR2147b.zip: Suspect.Bredozip-zippwd-6
FOUND
Sep  1 15:04:31 scruffy MailScanner[26910]: Virus Scanning: ClamAV
found 1 infections
Sep  1 15:04:31 scruffy MailScanner[26910]: Infected message
1Oqnv1-0007Lz-LX came from 1.2.3.4
Sep  1 15:04:31 scruffy MailScanner[26910]: Virus Scanning: Found 1 viruses
Sep  1 15:04:31 scruffy MailScanner[26910]: Silent: Delivered 1
messages containing silent viruses
---

So it looks like the attachment is not being removed because it is
treated as a silent virus?

My silent virus settings are:

Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = yes
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Zip-Password

I guess "eicar" is matched (not sure if "Non-Forging Viruses" is
case-sensitive, or not) but the comments in the config file explicitly
say (for "Still Deliver Silent Viruses"): "Still deliver (after
cleaning) messages that contained viruses listed
# in the above option ("Silent Viruses") to the recipient?". But for
whatever reason the cleaning step is not done here.

I still haven't tested this with the latest beta (it's a production
box, so not easy to do...).

Are there any known issues with 4.79.11 that would cause this?

Thanks,

Steve.