Email with virus getting through

Paul Welsh paul at welshfamily.com
Mon Oct 1 22:00:28 IST 2012 

On 1 October 2012 17:31, Martin Hepworth <maxsec at gmail.com> wrote:
> the double attachment check should have blocked this - never mind the
> anti-virus products
>
> you sure you've not turned that off somehow in the filetypes rule?
> http://www.mailscanner.info/files/filename.rules.conf
>

Hi Martin

As I said previously, I changed this in MailScanner.conf in an attempt
to stop this:
Archives: Deny Filenames = \.exe$

This evening I then sent myself the infected message and got this:
Oct  1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2
messages, 70239 bytes
Oct  1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning: Starting
Oct  1 20:30:00 mail MailScanner[6096]: [Found trojan]
<W32/Trojan3.EBT (exact, not disinfectable)>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found
2 infections
Oct  1 20:30:00 mail MailScanner[6096]: Infected message
1TIlgf-0002Ar-ST came from <snip>
Oct  1 20:30:00 mail MailScanner[6096]: Infected message
1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
came from
Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses
Oct  1 20:30:00 mail MailScanner[6096]: Viruses marked as silent:
F-Prot6: [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe

Note that now f-prot classifies it as W32/Trojan3.EBT whereas
previously it was W32/Heuristic-200!Eldorado.

Likewise when I scan it manually:
# /opt/f-prot/fpscan Y*.eml
...
[Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)> 	Your
friend added a new photo with you to the
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
[Contains infected objects]	Your friend added a new photo with you to
the album.eml

So it has gone from being a "possible security risk" to a "trojan".
Clearly this is because f-prot was updated:
Oct  1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated
Oct  1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated

Clam still says it is fine, even though I have confirmed Clam is up to
date (and in fact has found several viruses recently):
# clamscan -V
ClamAV 0.97.6/15420/Mon Oct  1 12:57:26 2012

So, clearly f-prot's "possible security risk" isn't a sufficiently
severe enough classification to get MailScanner to delete it.

Just goes to show the importance of having > 1 virus scanner and some
extra filename/filetype rules.

I haven't changed filename.rules.conf for over a year:
# Allow repeated file extension, e.g. blah.zip.zip
allow   (\.[a-z0-9]{3})\1$      -       -

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding

Regards

Paul

More information about the MailScanner mailing list