Re: [AMaViS-user] testvirus failures #5 and #12

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jason,

| After reading up on testvirus.org, I decided to give it a shot on my 
| OpenBSD postfix + amavisd-new (20030616-p8) + clamav (0.67-1) server.  
| Tests #5, 12, 19, 20, 21, 23, 24 and 25 all made it through.  Right now 
| I'm investigating #5 (binhex) and #12 (password-protected zip) tests.
| 
| After researching the mailing lists, I'm still at a loss.  For the 
| binhex, I updated my Convert::UUlib as suggested to 1.01, but it's 
| still getting through.  For the password zips, I confirmed that my 
| UNDECIPHERABLE qr is uncommented.  Any ideas?

The #5 is unusual in that it expects the decoder to find
a binhex embedded within a plain text. It wouldn't be incorrect
if Convert::UUlib would miss it. Luckily it has some heuristics
built in, so at least in most version it is able to detect and
decode it. If I remember correcly, the uulib V0.5pl19 broke the
handling of BinHex. Either uulib V0.5pl18 or the uulib that comes
with Convert::UUlib 1.01 (it is V0.5pl19, but patched),
handles BinHex correctly.

Bring up the amavisd logging level (log level 4 is sufficient).
Here are the important log entries when test mail #5 is being checked:

  Extracting mime components
  mime_decode: Content-type: text/plain, name: 
  Checking for banned MIME types and names
  decode_parts: level=1, #parts=1 : part-00001
  File-type of part-00001: ASCII English text; (.asc)
  Checking for banned (contents-based) file types, 1 parts
  do_ascii: Decoding part part-00001 (1 items)
  do_ascii(0): state=0x10, enc=binhex, est.size=-1, name=eicar.com
  decompose_part: part-00001 - source retained
  decode_parts: level=2, #parts=1 : part-00002
  File-type of part-00002: ASCII text, with CRLF line terminators; (.asc)
  Checking for banned (contents-based) file types, 1 parts
  do_ascii: Decoding part part-00002 (0 items)
  decompose_part: part-00002 - atomic

This one is crucial:
  do_ascii(0): state=0x10, enc=binhex, est.size=-1, name=eicar.com

If your Convert::UUlib can't recognize BinHex in part-00001,
you will have to play some more with this module and specially
with the underlying uulib library. You may also try the command
line utility uudeview, that comes with uulib.

Now to test #12. Observe the following log entries:

  Extracting mime components
  mime_decode: Content-type: multipart/mixed
  mime_decode: Content-type: text/plain, name: 
  mime_decode: Content-type: application/x-zip-compressed, name: eicar.zip
  Checking for banned MIME types and names
  decode_parts: level=1, #parts=2 : part-00001, part-00002
  File-type of part-00001: ASCII English text; (.asc)
  File-type of part-00002: Zip archive data, at least v2.0 to extract; (.zip)
  Checking for banned (contents-based) file types, 2 parts
  do_ascii: Decoding part part-00001 (0 items)
  decompose_part: part-00001 - atomic
  Unzipping part-00002
  do_unzip: part-00002, 1 members encrypted, archive retained
  decompose_part: part-00002 - source retained
  decode_parts: undecipherable 1
  prolong_timer after decoding: remaining time = 300 s
  Banned UNDECIPHERABLE (patt: (?i-xsm:^UNDECIPHERABLE$))
  providing full original message to scanners, 1

These three are crucial:
  do_unzip: part-00002, 1 members encrypted, archive retained
  decode_parts: undecipherable 1
  Banned UNDECIPHERABLE (patt: (?i-xsm:^UNDECIPHERABLE$))

Perhaps you have $final_bad_header_destiny=D_PASS ?

  Mark