[Mimedefang] not catching TNEF and embedded mime viruses

arr at oceanwave.com arr at oceanwave.com
Mon Jan 19 17:49:35 EST 2004


This is a duplicate message that I posted to the clamav list as well, so my
appologies to those of you who've seen this more than once.  A response on the
clamav list indicated that some of the failed tests below should be caught by
mimedefang itself (a pretty much vanilla config, using the supplied config
file).  Anyway, here's my original message.  Any help is appreciated:


I've installed the following list of software on a machine running Solaris 8:

Archive-Zip-1.09.tar.gz
Compress-Zlib-1.32.tar.gz
Convert-TNEF-0.17.tar.gz
Convert-UUlib-1.0.tar.gz
DB_File-1.807.tar.gz
Digest-1.05.tar.gz
Digest-HMAC-1.01.tar.gz
Digest-MD5-2.33.tar.gz
Digest-Nilsimsa-0.06.tar.gz
Digest-SHA1-2.07.tar.gz
File-Scan-0.78.tar.gz
HTML-Parser-3.35.tar.gz
HTML-Tagset-3.03.tar.gz
IO-stringy-2.109.tar.gz
MIME-Base64-2.23.tar.gz
MIME-tools-5.411a-RP-Patched-02.tar.gz
Mail-SpamAssassin-2.61.tar.gz
MailTools-1.60.tar.gz
Net-DNS-0.45.tar.gz
Test-Harness-2.40.tar.gz
Test-Simple-0.47.tar.gz
Time-HiRes-1.54.tar.gz
URI-1.29.tar.gz
Unix-Syslog-0.100.tar.gz
clamav-0.65.tar.gz
gmp-4.1.2.tar.gz
libnet-1.17.tar.gz
mimedefang-2.39.tar.gz
razor-agents-2.36.tar.gz
sendmail.8.12.10.tar.gz

Things seem to be going well, except that clamav doesn't seem to catch some
virii.  I was using http://www.testvirus.org/?co= and the following tests
failed: 

 Test #6:  Eicar virus embedded within another MIME segment
 Test #11: Eicar virus within a ZIP file
 Test #13: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
 Test #15: Eicar string in HTML, to ensure that your mail server scans HTML
           segments 
 Test #18: Outlook 'Blank Folding' Vulnerability (does not include Eicar
           virus, but your mail server still must catch this)
 Test #19: Outlook 'Boundary Space Gap' Vulnerability (does not include Eicar
           virus, but your mail server still must catch this)
 Test #20: Outlook 'Long Boundary' Vulnerability (does not include Eicar virus,
           but your mail server still must catch this)
 
I'm not overly surprised about the last three, but it seems like clamav should
catch the first four.  Are there additional pieces of software that I'm
missing?

Thanks...



More information about the MIMEDefang mailing list