[Mimedefang] Problem scanning multiple attachments with Kaspersky Anti-Virus for Linux Workstation 5.0.2.0

Ernst-Paul ten Brinke ep at tenbrinke.net
Thu Apr 1 18:45:44 EST 2004 

I'm using MD 2.42 with Kaspersky Anti-Virus for Linux Workstation 5.0.2.0
I noticed a problem with scanning multiple attachments.
 
In mimedefang.pl I see the following code in the subroutine for
message_contains_virus_avp5 :
 
# Run aveclient
my($code, $category, $action) = run_virus_scanner($Features{'Virus:AVP5'} .
" -s -p /var/run/aveserver $CWD/Work/* 2>&1","INFECTED");

Let's say you send a message with an attachment a.zip en b.zip and a.zip
contains a virus and b.zip not.
 
You would expect a scan return code 4 from aveclient. The a.zip MIME part is
INFECTED and the b.zip part NOT.
But the scan result of aveclient depends of the order in which the parts
will be scanned.
Calling aveclient with multiple files or in this case with a * returns only
the scan return code of the last MIME part scanned.
So adding a.zip first as attachment and b.zip second results in return code
0. No virus found in MIME parts.
But adding b.zip first and a.zip second results in a return code 4. Virus
found in MIME parts.
 
Example with an infected .zip file and a not infected .com file. (order
.zip, .com)
 
/var/log/kav/aveserver.log after running message_contains_virus_avp5 :
 
[02-04-2004 01:01:57 A] [19908] New local connection accepted from
/var/run/aveserver, connection ID 149
[02-04-2004 01:01:57 A] [19908] [26543] Scan started:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-72.txt
[02-04-2004 01:01:57 A] [19908] [26543] Scan progress:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-72.txt OK
[02-04-2004 01:01:57 A] [19908] [26543] Scan result:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-72.txt OK
[02-04-2004 01:01:57 A] [19908] [26543] Scan started:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-73.html
[02-04-2004 01:01:57 A] [19908] [26543] Scan progress:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-73.html OK
[02-04-2004 01:01:57 A] [19908] [26543] Scan result:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-73.html OK
[02-04-2004 01:01:57 A] [19908] [26543] Scan started:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-74.zip
[02-04-2004 01:01:57 A] [19908] [26543] Scan progress:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-74.zip/me.htm.pi
f INFECTED I-Worm.Moodown.b
[02-04-2004 01:01:57 A] [19908] [26543] Scan result:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-74.zip INFECTED
[02-04-2004 01:01:57 A] [19908] [26543] Scan started:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-75.com
[02-04-2004 01:01:57 A] [19908] [26543] Scan progress:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-75.com OK
[02-04-2004 01:01:57 A] [19908] [26543] Scan result:
/var/spool/MIMEDefang/mdefang-i31N1vHK026539/Work/msg-25543-75.com OK

In this case message_contains_virus_avp5 results : return code 0, categorie
: ok, action : ok .... which is not ok.
Changing the order will result in return code 4, categorie : virus, action :
quarantine.
 
Ernst-Paul

More information about the MIMEDefang mailing list