[Mimedefang] TestVirus.org

Kelson Vibber kelson at speed.net
Fri Jul 30 12:22:15 EDT 2004 

On Friday 30 July 2004 03:03 am, Martin Blapp wrote:
> Clamav is not catching 5 tests, and viri are slipping throuh ! At least
> test 8 and 23 are very important to catch I think:

There's timing... I was just looking at this stuff yesterday.  I got the same 
results initially (except for #25, which had been defanged), but after 
investigation was able to easily block the rest by copying a few bits over 
from the current example filter.  From what I can tell, it looks like these 
would all be detected by a default install of the latest MimeDefang paired 
with a current Clamd with the ScanMail option enabled.

> Test #5: Eicar virus sent using BinHex encoding (this is a rarely used
> Macintosh mail format)
>
> Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent

Actually, it's MIMEDefang that doesn't detect these, because it doesn't decode 
BinHex.  So if you're just passing the message parts MD sees to ClamAV, it 
doesn't have a chance to see them.  ClamAV will detect them in the raw 
message if you have the ScanMail option active in clamav.conf.

Take a cue from the current example filter and call 
md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling 
message_contains_virus.  This way, clamd gets to look at the raw message in 
addition to the MD-decoded parts and will pick out the binhex attachment.  
Note that you have to do something in response to this rather than wait for 
entity_contains_virus, because MD won't see that entity.

> Test #22: Eicar virus within zip file hidden using the "MIME
>         Continuation Vulnerability" (attachment can be opened by all
> versions of Microsoft Outlook and Outlook Express) sent
>
> Test #23: Eicar virus within zip file hidden using the "Empty MIME
>         Boundary Vulnerability" (attachment can be opened by all versions
> of Microsoft Outlook and Outlook Express)

Interestingly, after I made that change I discovered that Clam was picking up 
these two as well.  Given the wide range of MIME parsers and malformations 
that will slip by some and get picked up by others, it's good to have two 
different implementations scanning your mail.

Again, you have to take action on message_contains_virus, and not wait for the 
per-entity results, because MD will see these as invalid MIME and not as 
attachments.

> Test #25 (non-virus): Attachment with a CLSID extension which may hide the
> real file extension. <B>This does not include the Eicar virus</B>, however
> your mailserver should still block this since the CLSID technique can be
> used to hide the true extension of a malicious file. (attachment can be
> opened by any Windows computer)

ClamAV has no reason to detect this: it doesn't include a virus.

That said, MIMEDefang's default filter_bad_filename should pick this up.  It 
does here.

-- 
Kelson Vibber
SpeedGate Communications, <www.speed.net>

More information about the MIMEDefang mailing list