Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: amavisd-new result is clean but clamav manual scan result is infected
44 views
Skip to first unread message
McDonald, Dan
Nov 18, 2011, 11:15:47 AM11/18/11
to
On 11/18/11 1:10 AM, "Kenneth Oncinian" <kenneth....@ph.panasonic.com>
wrote:
> How is it possible that amavisd-new is resulting "clean" while manual
> scan of CLAMAV is resulting "infected"?
Do you have @keep_decoded_original_maps set up to scan the whole message?
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Mark Martinec
Nov 18, 2011, 8:31:23 PM11/18/11
to
Kenneth,
> The e-mail has an attachment
> "Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip"
>
> I upload the attachment to clamav.net, and it was already detected as
> Email.Trojan-268. So I thought my CLAMAV pattern is not updated, but it
> was. And actually, scanning the file manually yields infected virus result:
>
> #clamdscan DHL\ Express\ Notification\ for\ shipment\ \
> 84302695681014952HG5V.eml
> /tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
> Email.Trojan-268 FOUND
>
> I have tried this several times and still, amavisd-new's result is CLEAN
> while manual scan says infected. In fact the trendmicro engine I am
> using side-by-side with amavisd just recently been updated and it's
> detecting the virus as TSPY_ZBOT.HNF, and finally amavisd-new is
> catching this as infected but only by the trendmicro scanner.
>
> Here is the debug output: http://pastebin.com/f8DSt4qD
The second part (after the first empty text/plain part) is
unusual:
> p002 1/2 Content-Type: message/rfc822, size: 262932 B, name:
> DHL Express Notification for shipment 84302695681014952HG5V.eml
> result line from file(1): p002: smtp mail text\n
Namely, both the MIME type, as well as the file(1) utility
claim that the part is an attached e-mail message (message/rfc822),
despite you saying that it was suposed to be a zip.
Dan wrote:
> Do you have @keep_decoded_original_maps set up to scan the whole message?
> @keep_decoded_original_maps = (new_RE(
> qr'^MAIL$', # retain full original message for virus checking
Yes he does, as seen from the log:
(32557-02) lookup_re("MAIL") matches key "(?-xism:^MAIL$)", result="1"
(32557-02) lookup [keep_decoded_original] => true, "MAIL" matches,
result="1", matching_key="(?-xism:^MAIL$)"
(32557-02) Issued a new file name: p005
(32557-02) presenting full original message to scanners as
/var/lib/amavis/tmp/amavis-20111118T143926-32557/parts/p005
So regardless of potential problems in mis-decoding, at least
the full message should have been passed to clamd and detected.
Perhaps the log shows your later test where you attached the
sample message wrapped as an message/rfc822 attachent, instead of
re-sending the original message.
Mark
> The e-mail has an attachment
> "Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip"
>
> I upload the attachment to clamav.net, and it was already detected as
> Email.Trojan-268. So I thought my CLAMAV pattern is not updated, but it
> was. And actually, scanning the file manually yields infected virus result:
>
> #clamdscan DHL\ Express\ Notification\ for\ shipment\ \
> 84302695681014952HG5V.eml
> /tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
> Email.Trojan-268 FOUND
>
> I have tried this several times and still, amavisd-new's result is CLEAN
> while manual scan says infected. In fact the trendmicro engine I am
> using side-by-side with amavisd just recently been updated and it's
> detecting the virus as TSPY_ZBOT.HNF, and finally amavisd-new is
> catching this as infected but only by the trendmicro scanner.
>
> Here is the debug output: http://pastebin.com/f8DSt4qD
>
> How is it possible that amavisd-new is resulting "clean" while manual
> scan of CLAMAV is resulting "infected"?
Thanks for the debug. I don't see anything obviosly wrong there.
> How is it possible that amavisd-new is resulting "clean" while manual
> scan of CLAMAV is resulting "infected"?
The second part (after the first empty text/plain part) is
unusual:
> p002 1/2 Content-Type: message/rfc822, size: 262932 B, name:
> DHL Express Notification for shipment 84302695681014952HG5V.eml
> result line from file(1): p002: smtp mail text\n
Namely, both the MIME type, as well as the file(1) utility
claim that the part is an attached e-mail message (message/rfc822),
despite you saying that it was suposed to be a zip.
Dan wrote:
> Do you have @keep_decoded_original_maps set up to scan the whole message?
> @keep_decoded_original_maps = (new_RE(
> qr'^MAIL$', # retain full original message for virus checking
(32557-02) lookup_re("MAIL") matches key "(?-xism:^MAIL$)", result="1"
(32557-02) lookup [keep_decoded_original] => true, "MAIL" matches,
result="1", matching_key="(?-xism:^MAIL$)"
(32557-02) Issued a new file name: p005
(32557-02) presenting full original message to scanners as
/var/lib/amavis/tmp/amavis-20111118T143926-32557/parts/p005
So regardless of potential problems in mis-decoding, at least
the full message should have been passed to clamd and detected.
Perhaps the log shows your later test where you attached the
sample message wrapped as an message/rfc822 attachent, instead of
re-sending the original message.
Mark
Kenneth Oncinian
Nov 20, 2011, 7:44:09 PM11/20/11
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> So regardless of potential problems in mis-decoding, at least the
> full message should have been passed to clamd and detected.
>
> Perhaps the log shows your later test where you attached the sample
> message wrapped as an message/rfc822 attachent, instead of
> re-sending the original message.
>
> Mark
Hi Mark,
Good morning.
Yes you are correct, it was the later test that i have conducted,
sorry about that. Also, this is maybe the reason why amavisd-new is
passing it as clean. CLAMAV does not detect the attachment as
infected, but only if it was scanned as a full *.eml file. Here are
the results of CLAMAV scanning the *.eml against the scanning of the
attachment only.
# clamdscan DHL\ Express\ Notification\ for\ shipment\ \
/tmp/Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip: OK
# clamdscan Delivery_Notification_DHL_EXPRESS.exe
/tmp/Delivery_Notification_DHL_EXPRESS.exe: OK
However, since i was passing the full message to amavisd-new,
(qr'^MAIL$',) still clamav did not scanned it as an *.eml file?
thanks so much,
Kenneth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOyZ7SAAoJENQ/v+Lg/51Dy9YIAKDwXTM4fvwCT1Tb2Xe9BrL6
dZG+2WlUmw3qAwGxx3dGeUaGD3g0r0qEPRZP+/F7ttiE8HmNPmSVmy1/3sS+y9R6
AWnvuynWxb4IomuLqidBNn1wRsHHqT88NL2YosUpWD+Q2fSJI0+0/0JbhO3+6Lhn
Fo6bdIu1J1KhhP8w8Ic85ERgQyDBKOFkJ8ZgUkZakYvJFTg44m1IeTjYoMoEiiL/
N/wgyt3vy4HLUcAwriCTZH3s4iQ4pyAyxtnRgIHdgeeFPfFxs3jCUqu0+mpyCcNb
DbhfoAsvI+/4zv5LdpjJlX+QzHzW+0p/21HLNYMoIYMnEeaLwIydxQ/bEmT3OKo=
=P/Ki
-----END PGP SIGNATURE-----
Hash: SHA1
> So regardless of potential problems in mis-decoding, at least the
> full message should have been passed to clamd and detected.
>
> Perhaps the log shows your later test where you attached the sample
> message wrapped as an message/rfc822 attachent, instead of
> re-sending the original message.
>
> Mark
Good morning.
Yes you are correct, it was the later test that i have conducted,
sorry about that. Also, this is maybe the reason why amavisd-new is
passing it as clean. CLAMAV does not detect the attachment as
infected, but only if it was scanned as a full *.eml file. Here are
the results of CLAMAV scanning the *.eml against the scanning of the
attachment only.
# clamdscan DHL\ Express\ Notification\ for\ shipment\ \
84302695681014952HG5V.eml
/tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
Email.Trojan-268 FOUND
# clamdscan Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip
/tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
Email.Trojan-268 FOUND
/tmp/Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip: OK
# clamdscan Delivery_Notification_DHL_EXPRESS.exe
/tmp/Delivery_Notification_DHL_EXPRESS.exe: OK
However, since i was passing the full message to amavisd-new,
(qr'^MAIL$',) still clamav did not scanned it as an *.eml file?
thanks so much,
Kenneth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOyZ7SAAoJENQ/v+Lg/51Dy9YIAKDwXTM4fvwCT1Tb2Xe9BrL6
dZG+2WlUmw3qAwGxx3dGeUaGD3g0r0qEPRZP+/F7ttiE8HmNPmSVmy1/3sS+y9R6
AWnvuynWxb4IomuLqidBNn1wRsHHqT88NL2YosUpWD+Q2fSJI0+0/0JbhO3+6Lhn
Fo6bdIu1J1KhhP8w8Ic85ERgQyDBKOFkJ8ZgUkZakYvJFTg44m1IeTjYoMoEiiL/
N/wgyt3vy4HLUcAwriCTZH3s4iQ4pyAyxtnRgIHdgeeFPfFxs3jCUqu0+mpyCcNb
DbhfoAsvI+/4zv5LdpjJlX+QzHzW+0p/21HLNYMoIYMnEeaLwIydxQ/bEmT3OKo=
=P/Ki
-----END PGP SIGNATURE-----
0 new messages