[Mimedefang] MIMEDefang & TREND INTERSCAN vscan : bug in virus name parsing ($VirusName)

[number6 at freesurf.fr]

Hi,

MIMEDefang up to 2.39 detects sometimes wrongly some messages infected by
WORM_NETSKY.B as infected by unknown-Trend-virus (default name when no
correct matching). You will therefore get complaints if you do sender
notification  as NETSKY forges sender addresses.

The reason is :
-  the way $VirusName is computed does not take into account some cases
where the infected attachment name includes "found" (frequent with NETSKY)  .
- the matching code of the scanner output

Example of Trend's run :
*** Found virus WORM_NETSKY.B in file
/var/spool/MIMEDefang/mdefang-i1JGeCej030762/Work/msg-19556-11.txt
***      1 found.zip in
/var/spool/MIMEDefang/mdefang-i1JGeCej030762/Work/msg-19556-11.txt(type MIME)
***      2 found.rtf.exe in found.zip(type PKZIP)

run_virus_scanner takes as second argument  match -- regular expression to
match (default ".*") in some case insensitive way ($msg .= $_ if /$match/i;)
hence the problem !
The line
2 found.rtf.exe is the last one with found.
The code
    $VirusName = $1
             if ($CurrentVirusScannerMessage =~ m/^\*+ Found virus (\S+)/);
    $VirusName = "unknown-Trend-virus" if $VirusName eq "";


will result in $VirusName to be set to unknown-Trend-virus.

Quick work-around at first glance (to be tested and included in
2.40 if ok) :
replace
 run_virus_scanner($Features{'Virus:TREND'} . " -a $path 2>&1", "Found");
with
 run_virus_scanner($Features{'Virus:TREND'} . " -a $path 2>&1", "Found ");

One day a rewrite of the whole scanning code will be needed but I'm not a
perl guru (scanners definition a la amavisd-new would be great).

Other topic : WORM_DUMARU.Y & WORM_DUMARU.Z . Can other Trend users
contact me.I feel that sometimes some messages by these worms are getting through.
Strangely enough when being quarantined based on the sender address and
resubmitted these messages do get catched.
I would like to investigate this with other Trend users.

No6