[Mimedefang] TestVirus.org
Kelson Vibber
kelson at speed.net
Fri Jul 30 12:22:15 EDT 2004
On Friday 30 July 2004 03:03 am, Martin Blapp wrote:
> Clamav is not catching 5 tests, and viri are slipping throuh ! At least
> test 8 and 23 are very important to catch I think:
There's timing... I was just looking at this stuff yesterday. I got the same
results initially (except for #25, which had been defanged), but after
investigation was able to easily block the rest by copying a few bits over
from the current example filter. From what I can tell, it looks like these
would all be detected by a default install of the latest MimeDefang paired
with a current Clamd with the ScanMail option enabled.
> Test #5: Eicar virus sent using BinHex encoding (this is a rarely used
> Macintosh mail format)
>
> Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent
Actually, it's MIMEDefang that doesn't detect these, because it doesn't decode
BinHex. So if you're just passing the message parts MD sees to ClamAV, it
doesn't have a chance to see them. ClamAV will detect them in the raw
message if you have the ScanMail option active in clamav.conf.
Take a cue from the current example filter and call
md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling
message_contains_virus. This way, clamd gets to look at the raw message in
addition to the MD-decoded parts and will pick out the binhex attachment.
Note that you have to do something in response to this rather than wait for
entity_contains_virus, because MD won't see that entity.
> Test #22: Eicar virus within zip file hidden using the "MIME
> Continuation Vulnerability" (attachment can be opened by all
> versions of Microsoft Outlook and Outlook Express) sent
>
> Test #23: Eicar virus within zip file hidden using the "Empty MIME
> Boundary Vulnerability" (attachment can be opened by all versions
> of Microsoft Outlook and Outlook Express)
Interestingly, after I made that change I discovered that Clam was picking up
these two as well. Given the wide range of MIME parsers and malformations
that will slip by some and get picked up by others, it's good to have two
different implementations scanning your mail.
Again, you have to take action on message_contains_virus, and not wait for the
per-entity results, because MD will see these as invalid MIME and not as
attachments.
> Test #25 (non-virus): Attachment with a CLSID extension which may hide the
> real file extension. <B>This does not include the Eicar virus</B>, however
> your mailserver should still block this since the CLSID technique can be
> used to hide the true extension of a malicious file. (attachment can be
> opened by any Windows computer)
ClamAV has no reason to detect this: it doesn't include a virus.
That said, MIMEDefang's default filter_bad_filename should pick this up. It
does here.
--
Kelson Vibber
SpeedGate Communications, <www.speed.net>
More information about the MIMEDefang
mailing list