Are these virii in ZIP files?? If so the zip maybe password protected. If so update your quar-attachments.db with the file name like so: Wendy.zip 0 Mimail.M Tabs not spaces and this will block anyfile named wendy.zip by the by this is the new mimail.m. Then run 'qmail-sscanner.pl -g'
-----Original Message----- From: McKeever Chris [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2003 1:13 PM To: [EMAIL PROTECTED]; Jason Haar Subject: Re: [Qmail-scanner-general]missing occasional virus - log results LOG RESULTS below thanks for your help! On Thu, 04 Dec 2003 09:52 , Jason Haar <[EMAIL PROTECTED]> sent: >On Thu, 2003-12-04 at 04:03, McKeever Chris wrote: >> I am running qmail-scanner with clamav (0.65) >> I have one machine that acts as a gateway, and then sends it to the main email server. >> The gateway is the one with qmailscanner and clamav, the email servers post-MTA (@mail) has a plugin for clamav which scans the file before >> databsing it. >> >> I have noticed since 11/4/03 that there are about 2-4 emails per day that get by the gateway and picked up by the @mail-clamav scan >> any suggestions? They are typically Exploit.IFrame.Gen and 1 W32/Yaha.g.dam >> > >Are you running clamscan or clamdscan? (i.e. the daemon version). I bet >it's the latter. > >Do you have the qmail-queue.log debug file that contains evidence of >such a "missed" message? If not, turn it on and don't stop logging until >you catch another such occurance. Then you can search that file looking >for the particular message that "slipped through". At that stage you may >see why it failed. I'd suspect a bug whereby clamd failed to scan the >message for some transitory reason, but still exited with a zero error >status - so Qmail-Scanner can only assume it's OK and carried on. > >Let us know what you find. > Here is the log of the missed virus, clamscan seems to be returning nothing. any ideas? Fri, 05 Dec 2003 05:25:51 -0600:4197: from="Net Delivery Service" <[EMAIL PROTECTED]>,subj=Letter, x-qmail-scanner-message- id=<[EMAIL PROTECTED]> (added by [EMAIL PROTECTED]) via SMTP from 212.216.176.223 Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: start scanning Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/prupref-mailgate10706235514614197/ Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/prupref- mailgate10706235514614197"... Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: scanner=clamscan_scanner,plain_text_msg=0 Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: starting scan of directory "/var/spool/qmailscan/tmp/prupref- mailgate10706235514614197"... Fri, 05 Dec 2003 05:25:51 -0600:4197: run /usr/local/bin/clamscan -r --disable-summary --max-recursion=10 --max- space=1000000 /var/spool/qmailscan/tmp/prupref-mailgate10706235514614197 2>&1 Fri, 05 Dec 2003 05:25:51 -0600:4197: --output of clamscan was: -- Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: finished scan of dir "/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in 0.707525 secs Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: finished scan of "/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"... Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: starting scan of directory "/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"... Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.chm' = '0' = 'CHM files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.exe' = '0' = 'EXE files need to be zipped for delivery' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.hlp' = '0' = 'HLP files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.hta' = '0' = 'HTA files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.lnk' = '0' = 'LNK files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.mp3' = '0' = 'MP3 files need to be zipped for delivery' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.mpg' = '0' = 'MPG files need to be zipped for delivery' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.pif' = '0' = 'PIF files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.reg' = '0' = 'REG files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.scr' = '0' = 'SCR files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.shs' = '0' = 'SHS files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.vbe' = '0' = 'VBE files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.vbs' = '0' = 'VBS files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.wsf' = '0' = 'WSF files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.wsh' = '0' = 'WSH files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.xla' = '0' = 'XLA files not allowed per Company security policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love Letter Virus/Trojan' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing subject: ILOVEYOU Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '82:message/partial' = 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing content-type: message/partial Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '83:[EMAIL PROTECTED]' = 'Virus-MAILFROM' = 'unknown user - mail has been deferred' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing MAILFROM: [EMAIL PROTECTED] Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '86:.{100,}' = 'Virus-date' = 'MIME Header Buffer Overflow' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing date: .{100,} Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '87:.{100,}' = 'Virus-mime-version' = 'MIME Header Buffer Overflow ' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing mime-version: .{100,} Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '88:.{100,}' = 'Virus-resent-date' = 'MIME Header Buffer Overflow' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing resent-date: .{100,} Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '91:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] com|[EMAIL PROTECTED]|[EMAIL PROTECTED] port.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|S_Mentis @mail-x- change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED] net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing to: [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]| [EMAIL PROTECTED]|[EMAIL PROTECTED]| [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED] net|[EMAIL PROTECTED] Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'eicar.com' = '69' = 'EICAR Test Virus' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'zipped_files.exe' = '120495' = 'W32/ExploreZip.worm.pak virus' Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: skipping auto-generated file 1070623553.4199-0.prupref-mailgate Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against perlscanner database... Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to hranc.bat and has extension .bat Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size 106496,239549) against perlscanner database Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking dd89999fbfa39541 against perlscanner database... Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file dd89999fbfa39541 is lowercased to dd89999fbfa39541 and has extension Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare dd89999fbfa39541 (size 4096,303407) against perlscanner database Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against perlscanner database... Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to hranc.bat and has extension .bat Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size 106496,239549) against perlscanner database Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: finished scan of dir "/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in 0.015334 secs Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: scanning message took 0.724035 seconds Fri, 05 Dec 2003 05:25:51 -0600:4197: q_r: fork off child into /var/qmail/bin/qmail-queue-bin... Fri, 05 Dec 2003 05:25:51 -0600:4203: q_r: xstatus=0 Fri, 05 Dec 2003 05:25:51 -0600:4197: cleanup: /bin/rm -rf /var/spool/qmailscan/tmp/prupref- mailgate10706235514614197/ /var/spool/qmailscan/working/new/prupref-mailgate10706235514614197 05/12/2003 05:25:54:4197: all finished. Total of 2.198306 secs Fri, 05 Dec 2003 05:25:55 -0600:4208: +++ starting debugging for process 4208 by uid=502 at Fri, 05 Dec 2003 05:25:55 -0600 Fri, 05 Dec 2003 05:25:55 -0600:4208: setting UID to EUID so subprocesses can access files generated by this script Fri, 05 Dec 2003 05:25:55 -0600:4208: program name is qmail-queue, version 1.20 Fri, 05 Dec 2003 05:25:55 -0600:4208: incoming SMTP connection from via SMTP from 66.28.114.190 Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: mkdir /var/spool/qmailscan/tmp/prupref-mailgate10706235554614208 Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/prupref- mailgate10706235554614208 [1070623555.64228] Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: primary Content-Type of text/plain found Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: rename new msg from /var/spool/qmailscan/working/tmp/prupref-mailgate10706235554614208 to /var/spool/qmailscan/working/new/prupref-mailgate10706235554614208 [1070623555.64666] Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: starting /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/prupref- mailgate10706235554614208/ </var/spool/qmailscan/working/new/prupref-mailgate10706235554614208 [1070623555.64737] Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: finished /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/prupref- mailgate10706235554614208/ [1070623555.66339] Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: Checking all attachments to see if they're MS-TNEF Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: is /var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/1070623555.4210-0 .prupref- mailgate is a TNEF file?: 256 [1070623555.66951] Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: unpacking message took 0.022649 seconds Fri, 05 Dec 2003 05:25:55 -0600:4208: unsetting QMAILQUEUE env var Then notice that the second scanner had found it, you can see the notification message come back through the gateway (these are all the same log files) Fri, 05 Dec 2003 05:25:55 -0600:4208: from=<[EMAIL PROTECTED]>,subj=Virus Exploit.IFrame.Gen detected in mail, x-qmail-scanner- message-id=<[EMAIL PROTECTED]> via SMTP from 66.28.114.190 Fri, 05 Dec 2003 05:25:55 -0600:4208: This is a PLAIN text message (because it's either not mime, or is text/plain), skip virus scanners - but not SA Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: start scanning Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/ Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/prupref- mailgate10706235554614208"... Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: scanner=clamscan_scanner,plain_text_msg=1 Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: finished scan of "/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208"... ------------------------------------------- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com ---- Prudential Preferred Properties www.prupref.com ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
