Re: [Qmail-scanner-general]qmail-scanner skip virus
AV/content filter for Qmail
Brought to you by:
jhaar
From: Michele C. <mi...@pr...> - 2004-02-19 16:25:14
|
This is the log when I send a mail with a virus. the file of the virus is thank_you.pif and ravlin found it, but the mail is not blocked. Thu, 19 Feb 2004 10:50:32 +0100:29731: +++ starting debugging for process 29731 by uid=1002 at Thu, 19 Feb 2004 10:50:32 +0100 Thu, 19 Feb 2004 10:50:32 +0100:29731: setting UID to EUID so subprocesses can access files generated by this script Thu, 19 Feb 2004 10:50:32 +0100:29731: program name is qmail-scanner-queue.pl.t, version 1.20 Thu, 19 Feb 2004 10:50:32 +0100:29731: incoming SMTP connection from via SMTP from 194.243.125.8 Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: mkdir /var/spool/qmailscan/tmp/mail2107718423246129731 Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/mail2107718423246129731 [1077184232.18224] Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: primary Content-Type of multipart/mixed found Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: found a top-level boundary definition of \-\-\-\-\-\-\-\-\-\-\-\-060701000306030801020402 Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: attachment 1: Content-Type of text/plain found Thu, 19 Feb 2004 10:50:32 +0100:29731: found C-T attachment filename thank_you.pif Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: attachment 2: Content-Type of application/octet-stream found Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: looks like a Windows executable, filename=thank_you.pif,type=application/octet-stream Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: rename new msg from /var/spool/qmailscan/working/tmp/mail2107718423246129731 to /var/spool/qmailscan/working/new/mail2107718423246129731 [1077184232.2573] Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: starting /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/mail2107718423246129731/ </var/spool/qmailscan/working/new/mail2107718423246129731 [1077184232.25759] Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: finished /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/mail2107718423246129731/ [1077184232.27084] Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: Checking all attachments to see if they're MS-TNEF Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: is /var/spool/qmailscan/tmp/mail2107718423246129731/thank_you.pif is a TNEF file?: 256 [1077184232.27359] Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: is /var/spool/qmailscan/tmp/mail2107718423246129731/1077184232.29733-0.mail2 is a TNEF file?: 256 [1077184232.27632] Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: unpacking message took 0.018916 seconds Thu, 19 Feb 2004 10:50:32 +0100:29731: unsetting QMAILQUEUE env var Thu, 19 Feb 2004 10:50:32 +0100:29731: g_e_h: return-path is "mi...@pr...", recips is "mi...@pr..." Thu, 19 Feb 2004 10:50:32 +0100:29731: from=Michele Cerioni <mi...@pr...>,subj=virusse, x-qmail-scanner-message-id=<403...@pr...> via SMTP from 194.243.125.8 Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: start scanning Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/mail2107718423246129731/ Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"... Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: scanner=ravlin_scanner,plain_text_msg=0 Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"... Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: /usr/local/rav8/bin/ravav --listall --mail --archive --heuristics=on --all /var/spool/qmailscan/tmp/mail2107718423246129731 2>&1 Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Searching for the engine in '/usr/local/rav8'... Running in evaluation mode. 16 days left! Scan engine 8.11 for i386. Last update: Mon Sep 1 14:58:36 2003 Scanning for 81707 malwares (viruses, trojans and worms). *** Since the number of existing viruses grow radically, it is recommended *** *** to update your product to keep good detection/cleaning capabilities. *** *** So check out http://www.ravantivirus.com for updates! *** Scanning with following configuration: * checking all files! * checking inside archive files! * also checking mail files! * heuristic scanning is activated! * integrity check is enabled! * don't use report file! /var/spool/qmailscan/tmp/mail2107718423246129731/thank_you.pif , exit status 0 Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: finished scan of dir "/var/spool/qmailscan/tmp/mail2107718423246129731" in 0.236643 secs Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: scanner=spamassassin,plain_text_msg=0 Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: finished scan of "/var/spool/qmailscan/tmp/mail2107718423246129731"... Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"... Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love Letter Virus/Trojan' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing subject: ILOVEYOU Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '82:message/partial.*' = 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing content-type: message/partial.* Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header Buffer Overflow' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing date: .{100,} Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '86:.{100,}' = 'Virus-mime-version' = 'MIME Header Buffer Overflow ' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing mime-version: .{100,} Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME Header Buffer Overflow' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing resent-date: .{100,} Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '90:ZVD...@ya...|udt...@ya...|DTC...@ya...|I1M...@ya...|WPA...@ya...|sm...@eu...|bg...@ca...|mu...@fa...|ec...@ba...|S_M...@ma...|YJP...@ex...|JG...@ex...|XH...@ex...|OZU...@ex...|ts...@ex...|cx...@kr...|ss...@my...' = 'Virus-to' = 'BadTrans Trojan exploit!' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing to: ZVD...@ya...|udt...@ya...|DTC...@ya...|I1M...@ya...|WPA...@ya...|sm...@eu...|bg...@ca...|mu...@fa...|ec...@ba...|S_M...@ma...|YJP...@ex...|JG...@ex...|XH...@ex...|OZU...@ex...|ts...@ex...|cx...@kr...|ss...@my... Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'eicar.com' = '69' = 'EICAR Test Virus' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'zipped_files.exe' = '120495' = 'W32/ExploreZip.worm.pak virus' Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size! Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking thank_you.pif against perlscanner database... Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: file thank_you.pif is lowercased to thank_you.pif and has extension .pif Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: compare thank_you.pif (size 75554,100498) against perlscanner database Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: skipping auto-generated file 1077184232.29733-0.mail2 Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking thank_you.pif against perlscanner database... Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: file thank_you.pif is lowercased to thank_you.pif and has extension .pif Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: compare thank_you.pif (size 75554,100498) against perlscanner database Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: finished scan of dir "/var/spool/qmailscan/tmp/mail2107718423246129731" in 0.002443 secs Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: scanning message took 0.239428 seconds Thu, 19 Feb 2004 10:50:32 +0100:29731: q_r: fork off child into /var/qmail/bin/qmail-queue... Thu, 19 Feb 2004 10:50:32 +0100:29738: q_r: xstatus=0 Thu, 19 Feb 2004 10:50:32 +0100:29731: cleanup: archiving into /var/spool/qmailscan/archives/new/ 19/02/2004 10:50:35:29731: all finished. Total of 3.581528 secs |