Email with virus getting through

Glenn Steen glenn.steen at gmail.com
Fri Oct 5 16:33:29 IST 2012 

Guess the fp6 wrapper and/or sweepviruses need some tender-love-and-care to
actually do the right thing on a heuristic match... Someone who has fp6
should look at it (iow, not me;-).

Cheers
-- 
-- Glenn
Den 1 okt 2012 23:24 skrev "Paul Welsh" <paul at welshfamily.com>:

> On 1 October 2012 17:31, Martin Hepworth <maxsec at gmail.com> wrote:
> > the double attachment check should have blocked this - never mind the
> > anti-virus products
> >
> > you sure you've not turned that off somehow in the filetypes rule?
> > http://www.mailscanner.info/files/filename.rules.conf
> >
>
> Hi Martin
>
> As I said previously, I changed this in MailScanner.conf in an attempt
> to stop this:
> Archives: Deny Filenames = \.exe$
>
> This evening I then sent myself the infected message and got this:
> Oct  1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2
> messages, 70239 bytes
> Oct  1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning:
> Starting
> Oct  1 20:30:00 mail MailScanner[6096]: [Found trojan]
> <W32/Trojan3.EBT (exact, not disinfectable)>
>
> ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found
> 2 infections
> Oct  1 20:30:00 mail MailScanner[6096]: Infected message
> 1TIlgf-0002Ar-ST came from <snip>
> Oct  1 20:30:00 mail MailScanner[6096]: Infected message
>
> 1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> came from
> Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses
> Oct  1 20:30:00 mail MailScanner[6096]: Viruses marked as silent:
> F-Prot6: [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>
>
> ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
>
> Note that now f-prot classifies it as W32/Trojan3.EBT whereas
> previously it was W32/Heuristic-200!Eldorado.
>
> Likewise when I scan it manually:
> # /opt/f-prot/fpscan Y*.eml
> ...
> [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>     Your
> friend added a new photo with you to the
> album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> [Contains infected objects]     Your friend added a new photo with you to
> the album.eml
>
> So it has gone from being a "possible security risk" to a "trojan".
> Clearly this is because f-prot was updated:
> Oct  1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated
> Oct  1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated
>
> Clam still says it is fine, even though I have confirmed Clam is up to
> date (and in fact has found several viruses recently):
> # clamscan -V
> ClamAV 0.97.6/15420/Mon Oct  1 12:57:26 2012
>
> So, clearly f-prot's "possible security risk" isn't a sufficiently
> severe enough classification to get MailScanner to delete it.
>
> Just goes to show the importance of having > 1 virus scanner and some
> extra filename/filetype rules.
>
> I haven't changed filename.rules.conf for over a year:
> # Allow repeated file extension, e.g. blah.zip.zip
> allow   (\.[a-z0-9]{3})\1$      -       -
>
> # Deny all other double file extensions. This catches any hidden filenames.
> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
> hiding
>
> Regards
>
> Paul
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121005/0b2e042b/attachment.html

More information about the MailScanner mailing list