On Mon, Oct 04, 2004 at 07:28:18PM +0200, Björn Scorey wrote:
However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus.
Anyone has an idea what's wrong ?
Detection of malware in MIME-formatted messages is still a problem today. If you just want to find out if yours scanners are working, you should put the email with the eicar attachment in a separate mbox file with no other emails. This should increase chances that your scanners don't give up on the mbox structures. Just to give you an example: mic:~> grep '^From: ' Mail/infected | wc -l 159 This mbox file is a collection of infected emails I received in-the-wild. All attachments in this emails are properly detected if scanned as separate files. Mails with obviously broken mime format were filtered out before (although I didn't check every mail for absolutly correct MIME format). mic:~> /usr/local/f-prot/f-prot -ai -archive -collect -dumb -packed Mail/infected Virus scanning report - 4 October 2004 @ 21:48 F-PROT ANTIVIRUS Program version: 4.4.4 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 28 September 2004 SIGN2.DEF created 28 September 2004 MACRO.DEF created 27 September 2004 Search: Mail/infected Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -COLLECT -SERVER -AI /local/data/mic/Mail/infected->all_pictures.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->your_picture01.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->document05.scr Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->abuses.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->document.zip Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->party.zip->party.txt.pif Infection: W32/Netsky.B@mm (exact) /local/data/mic/Mail/infected->details_lists.pif Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->jokes.exe Infection: W32/Netsky.B@mm (exact) Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 11 Infected: 8 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:14 -------------------- end of f-prot output ----------------------- So only a small percentage of the infected mails were detected. Other AV products behave better but no product I tested so far detected all infections in bigger mbox files. -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg