R: Deep test virus scan rule that doesnt work

Shawn Iverson shawniverson at summitgrid.com
Wed Jan 13 03:40:43 UTC 2021 

This is working, and here's the explanation...

I built a virus scanning ruleset as you described.  This result 
happened, which is normal.  Messages are always virus scanned as a 
batch. Even though the virus is found, it is not counted against the 
message and the message is sent anyway and marked as clean in MailWatch. 
In fact, in this case Google sees the EICAR test and rejects the message.

Jan 12 22:30:43 smtp MailScanner[226819]: Virus and Content Scanning: 
Starting
Jan 12 22:30:43 smtp MailScanner[226819]: 
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtJ14q8Fz7g2sY/
Jan 12 22:30:43 smtp MailScanner[226819]: Clamd::INFECTED:: 
{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtJ14q8Fz7g2sY/msg-226819-3.txt
Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Clamd found 2 
infections
Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Found 2 viruses
Jan 12 22:30:43 smtp MailScanner[226819]: Spam Checks: Starting
Jan 12 22:30:43 smtp MailScanner[226819]: Requeue: 4DFtJ14q8Fz7g2sY to 
4DFtJ34gZPz0c34
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: connect from 
localhost[127.0.0.1]
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: 4DFtJ34h5tz7g2sY: 
client=localhost[127.0.0.1]
Jan 12 22:30:43 smtp opendmarc[6361]: ignoring connection from localhost
Jan 12 22:30:43 smtp postfix/cleanup[226982]: 4DFtJ34h5tz7g2sY: 
message-id=<09fca5f0-f6d3-be52-55e0-97ba9bfa67a3 at summitgrid.com>
Jan 12 22:30:43 smtp opendkim[6362]: 4DFtJ34h5tz7g2sY: DKIM-Signature 
field added (s=default, d=summitgrid.com)
Jan 12 22:30:43 smtp postfix/qmgr[2173]: 4DFtJ34h5tz7g2sY: 
from=<shawniverson at summitgrid.com>, size=2427, nrcpt=1 (queue active)
Jan 12 22:30:43 smtp postfix/qmqpd[226995]: disconnect from 
localhost[127.0.0.1]
Jan 12 22:30:43 smtp MailScanner[226819]: Uninfected: Delivered 1 messages
Jan 12 22:30:43 smtp MailScanner[226819]: Deleted 1 messages from 
processing-database
Jan 12 22:30:43 smtp MailScanner[226819]: MailWatch: Logging message 
4DFtJ14q8Fz7g2sY to SQL
Jan 12 22:30:44 smtp postfix/smtp[226998]: 4DFtJ34h5tz7g2sY: 
to=<shawniverson at gmail.com>, 
relay=gmail-smtp-in.l.google.com[172.253.119.26]:25, delay=0.92, 
delays=0.06/0/0.43/0.44, dsn=5.7.0, status=bounced (host 
gmail-smtp-in.l.google.com[172.253.119.26] said: 552-5.7.0 This message 
was blocked because its content presents a potential 552-5.7.0 security 
issue. Please visit 552-5.7.0 
https://support.google.com/mail/?p=BlockedMessage to review our 552 
5.7.0 message content and attachment content guidelines. 
x13si356045iov.16 - gsmtp (in reply to end of DATA command))

When I remove the ruleset and scan everything, this happens. You can see 
it still finds the infection, but this time the message is marked as 
infected and the message is not sent.

Jan 12 22:34:40 smtp MailScanner[227999]: New Batch: Scanning 1 
messages, 2015 bytes
Jan 12 22:34:40 smtp MailScanner[227999]: Virus and Content Scanning: 
Starting
Jan 12 22:34:40 smtp MailScanner[227999]: 
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtNZ31Mwz7g2sY/
Jan 12 22:34:40 smtp MailScanner[227999]: Clamd::INFECTED:: 
{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtNZ31Mwz7g2sY/msg-227999-1.txt
Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Clamd found 2 
infections
Jan 12 22:34:40 smtp MailScanner[227999]: Infected message 
4DFtNZ31Mwz7g2sY came from 198.100.154.215
Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Found 2 viruses
Jan 12 22:34:40 smtp MailScanner[227999]: Viruses marked as silent: 
Clamd:  message was infected: {HEX}EICAR.TEST.3.UNOFFICIAL, Clamd: 
msg-227999-1.txt was infected: {HEX}EICAR.TEST.3.UNOFFICIAL
Jan 12 22:34:40 smtp MailScanner[227999]: Saved entire message to 
/var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY
Jan 12 22:34:40 smtp MailScanner[227999]: Saved infected 
"msg-227999-1.txt" to 
/var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY

On 1/12/21 12:15 PM, Shawn Iverson via MailScanner wrote:
>
> I'll run a test this evening on my instance and see if there is 
> something up with the codebase...
>
> On 1/12/21 4:59 AM, Nicola Piazzi via MailScanner wrote:
>>
>> Valentin, I tried everything but is the same
>>
>> *Nicola Piazzi*
>> Sistemi Informativi
>> Nuova immagine bitmap
>> COMET s.p.a.
>> Via Michelino, 105 - 40127 Bologna – Italia
>> Tel.  +39 051.6079.293
>> Cell. +39 347.5027273
>> www.comet.it <http://www.comet.it>
>> www.gruppocomet.it <http://www.gruppocomet.it>
>>
>> *Da:*MailScanner 
>> <mailscanner-bounces+nicola.piazzi=gruppocomet.it at lists.mailscanner.info>*Per 
>> conto di *Valentin Laskov
>> *Inviato:* martedì 12 gennaio 2021 10:26
>> *A:* mailscanner at lists.mailscanner.info
>> *Oggetto:* Re: Deep test virus scan rule that doesnt work
>> *Priorità:* Bassa
>>
>> На 12.01.2021 в 10:54, Nicola Piazzi via MailScanner написа:
>>
>>     FromOrTo: Default No
>>
>> Are the fields separated by Tab ? Or space ?
>>
>> Must be tab separated.
>>
>> Regards!
>> Valentin
>>
>> -- 
>> Поздрави!
>> Валентин Ласков
>> Системен администратор
>> "Феста Холдинг" АД
>> бул. "Вл. Варненчик" 48
>> 9000 гр. Варна
>> тел.:   +359 52 669137
>> GSM: +359 888 669137
>> Fax:   +359 52 669110
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210112/9802e537/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6129 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210112/9802e537/attachment.png>

More information about the MailScanner mailing list