<p>Guess the fp6 wrapper and/or sweepviruses need some tender-love-and-care to actually do the right thing on a heuristic match... Someone who has fp6 should look at it (iow, not me;-).</p>
<p>Cheers<br>
-- <br>
-- Glenn</p>
<div class="gmail_quote">Den 1 okt 2012 23:24 skrev "Paul Welsh" <<a href="mailto:paul@welshfamily.com">paul@welshfamily.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 1 October 2012 17:31, Martin Hepworth <<a href="mailto:maxsec@gmail.com">maxsec@gmail.com</a>> wrote:<br>
> the double attachment check should have blocked this - never mind the<br>
> anti-virus products<br>
><br>
> you sure you've not turned that off somehow in the filetypes rule?<br>
> <a href="http://www.mailscanner.info/files/filename.rules.conf" target="_blank">http://www.mailscanner.info/files/filename.rules.conf</a><br>
><br>
<br>
Hi Martin<br>
<br>
As I said previously, I changed this in MailScanner.conf in an attempt<br>
to stop this:<br>
Archives: Deny Filenames = \.exe$<br>
<br>
This evening I then sent myself the infected message and got this:<br>
Oct 1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2<br>
messages, 70239 bytes<br>
Oct 1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning: Starting<br>
Oct 1 20:30:00 mail MailScanner[6096]: [Found trojan]<br>
<W32/Trojan3.EBT (exact, not disinfectable)><br>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found<br>
2 infections<br>
Oct 1 20:30:00 mail MailScanner[6096]: Infected message<br>
1TIlgf-0002Ar-ST came from <snip><br>
Oct 1 20:30:00 mail MailScanner[6096]: Infected message<br>
1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
came from<br>
Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses<br>
Oct 1 20:30:00 mail MailScanner[6096]: Viruses marked as silent:<br>
F-Prot6: [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)><br>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
<br>
Note that now f-prot classifies it as W32/Trojan3.EBT whereas<br>
previously it was W32/Heuristic-200!Eldorado.<br>
<br>
Likewise when I scan it manually:<br>
# /opt/f-prot/fpscan Y*.eml<br>
...<br>
[Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)> Your<br>
friend added a new photo with you to the<br>
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
[Contains infected objects] Your friend added a new photo with you to<br>
the album.eml<br>
<br>
So it has gone from being a "possible security risk" to a "trojan".<br>
Clearly this is because f-prot was updated:<br>
Oct 1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated<br>
Oct 1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated<br>
<br>
Clam still says it is fine, even though I have confirmed Clam is up to<br>
date (and in fact has found several viruses recently):<br>
# clamscan -V<br>
ClamAV 0.97.6/15420/Mon Oct 1 12:57:26 2012<br>
<br>
So, clearly f-prot's "possible security risk" isn't a sufficiently<br>
severe enough classification to get MailScanner to delete it.<br>
<br>
Just goes to show the importance of having > 1 virus scanner and some<br>
extra filename/filetype rules.<br>
<br>
I haven't changed filename.rules.conf for over a year:<br>
# Allow repeated file extension, e.g. blah.zip.zip<br>
allow (\.[a-z0-9]{3})\1$ - -<br>
<br>
# Deny all other double file extensions. This catches any hidden filenames.<br>
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding<br>
<br>
Regards<br>
<br>
Paul<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</blockquote></div>