Email with virus getting through

Paul Welsh paul at welshfamily.com
Mon Oct 1 15:43:58 IST 2012 

Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS
6.3 with Exim 4.76 and an infected message is being delivered.  Here's
the maillog extract.  I've changed the recipient domain to
mydomain.com:

Oct  1 10:34:00 mail MailScanner[15454]: Infected message
1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
came from
Oct  1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from
83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam,
SpamAssassin (score=2.798, required 6, autolearn=disabled,
DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL
0.97, UNPARSEABLE_RELAY 0.00)
Oct  1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message
1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to
postmaster at mydomain.com with subject  Your friend added a new photo
with you to the album

As you can see, it's identified as Infected but still delivered.

If I manually scan the message, I get this from f-prot:
# /opt/f-prot/fpscan Y*.eml
<snip>
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> 	Your friend added a new photo with you to the
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
[Contains infected objects]	Your friend added a new photo with you to
the album.eml


I get this from clam:
# clamscan Y*.eml
Your friend added a new photo with you to the album.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 1314671
Engine version: 0.97.6
Scanned directories: 0
Scanned files: 1
Infected files: 0

In MailScanner.conf I have these set but neither affect virus
checking, apparently:
Maximum Archive Depth = 0
Find Archives By Content = no

I also have:
Virus Scanning = yes
Virus Scanners = clamav f-prot-6
Deliver Disinfected Files = no
Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Block Encrypted Messages = no
Allow Password-Protected Archives = no
Check Filenames In Password-Protected Archives = yes
Dangerous Content Scanning = yes
Allow Partial Messages = no
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Use Stricter Phishing Net = no

Any ideas?

For now, I have tried this.  Previously it was not set:
Archives: Deny Filenames = \.exe$

More information about the MailScanner mailing list