[suse-security] Anti-Virus Problem
Hi Everyone ! I am running Suse 9.0 and I have installed qmail (netqmail Ver. 1.05) amavis (amavis-new Ver. 20030616p5-23) antivir (Ver 2.08-16) Antivir seems to be an evaluation version. (The one that came with Suse 9.0) I donwloaded the EICAR E-Mail Test Virus but when I send either an infected attachment or simply copy the virus string on the mail, the antivirus doesn't recognize the virus, and the mail passes normally. However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus. Anyone has an idea what's wrong ? Regards Björn
On Monday 04 October 2004 19:28, Björn Scorey wrote:
Hi Everyone !
I am running Suse 9.0 and I have installed
qmail (netqmail Ver. 1.05) amavis (amavis-new Ver. 20030616p5-23) antivir (Ver 2.08-16)
Antivir seems to be an evaluation version. (The one that came with Suse 9.0)
I donwloaded the EICAR E-Mail Test Virus but when I send either an infected attachment or simply copy the virus string on the mail, the antivirus doesn't recognize the virus, and the mail passes normally.
However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus.
Anyone has an idea what's wrong ?
Regards Björn
I don't know how patched or unpached is the netqmail version, but you need the qmailqueue.patch applied to qmail and the install the qmail-scanner so the mail are first being scanned and then passed to smtpd. You might also consider patching qmailqueue with qms-analog patch to activate reporting functions. after installing qmailscanner, you'll have to tell qmail to use the qmailscanner by editing /var/qmail/supervise/qmail-smtpd/run and add this to the SMTP "run" script right under the first line (#!/bin/sh): QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE and change the softlimit to 40000000. For more info check the manuals for antivir and amavis on how to integrate them with qmail Josephine
On Mon, Oct 04, 2004 at 07:28:18PM +0200, Björn Scorey wrote:
However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus.
Anyone has an idea what's wrong ?
Detection of malware in MIME-formatted messages is still a problem today. If you just want to find out if yours scanners are working, you should put the email with the eicar attachment in a separate mbox file with no other emails. This should increase chances that your scanners don't give up on the mbox structures. Just to give you an example: mic:~> grep '^From: ' Mail/infected | wc -l 159 This mbox file is a collection of infected emails I received in-the-wild. All attachments in this emails are properly detected if scanned as separate files. Mails with obviously broken mime format were filtered out before (although I didn't check every mail for absolutly correct MIME format). mic:~> /usr/local/f-prot/f-prot -ai -archive -collect -dumb -packed Mail/infected Virus scanning report - 4 October 2004 @ 21:48 F-PROT ANTIVIRUS Program version: 4.4.4 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 28 September 2004 SIGN2.DEF created 28 September 2004 MACRO.DEF created 27 September 2004 Search: Mail/infected Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -COLLECT -SERVER -AI /local/data/mic/Mail/infected->all_pictures.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->your_picture01.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->document05.scr Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->abuses.pif Infection: W32/Netsky.AB@mm (exact) /local/data/mic/Mail/infected->document.zip Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->party.zip->party.txt.pif Infection: W32/Netsky.B@mm (exact) /local/data/mic/Mail/infected->details_lists.pif Infection: W32/Netsky.P@mm (exact) /local/data/mic/Mail/infected->jokes.exe Infection: W32/Netsky.B@mm (exact) Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 11 Infected: 8 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:14 -------------------- end of f-prot output ----------------------- So only a small percentage of the infected mails were detected. Other AV products behave better but no product I tested so far detected all infections in bigger mbox files. -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
Björn Scorey wrote:
Hi Everyone !
I am running Suse 9.0 and I have installed
qmail (netqmail Ver. 1.05) amavis (amavis-new Ver. 20030616p5-23) antivir (Ver 2.08-16)
Antivir seems to be an evaluation version. (The one that came with Suse 9.0)
I donwloaded the EICAR E-Mail Test Virus but when I send either an infected attachment or simply copy the virus string on the mail, the antivirus doesn't recognize the virus, and the mail passes normally.
However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus.
Anyone has an idea what's wrong ?
Regards Björn
sounds like you may not have the virus scaner setup correctly. I've use Vexira and it works perfectly! Each AV vendor has different way of scanning for viruses on emails.... -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.271 / Virus Database: 264.9.9 - Release Date: 10/1/2004
On Monday 04 October 2004 10:28 am, Björn Scorey wrote:
Hi Everyone !
I am running Suse 9.0 and I have installed
qmail (netqmail Ver. 1.05) amavis (amavis-new Ver. 20030616p5-23) antivir (Ver 2.08-16)
Antivir seems to be an evaluation version. (The one that came with Suse 9.0)
You might check /etc/amavisd.conf and make sure that the setup in there for Antivir is correct. I had to tweak it for both clamav and f-prot to get them working (wrong paths and in one case a wrong socket name). Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.5-7.108-default x86_64
participants (5)
-
Björn Scorey -
Josephine -
Michel Messerschmidt -
Oskar Teran -
Scott Leighton