[Mimedefang] re: Virus getting by MD

Alan Lehman alehman at gbutler.com
Thu Nov 18 23:46:19 EST 2004

I'm also having problems with Exploit-MIME.gen.b getting through. 
I just upgraded to MD 2.48 with clamav-0.80 and uvscan 4.32 but the problem continues.
In almost all cases they are caught by my downstream Exchange box running Groupshield,
as html files. We usually get several per day out of 200 to 400 viruses detected by MD.
Sometimes a large batch (10 to 20) will get by in a short time. Also occasionally .pif 
files get past although MD is configured to block them.


*>Mathew Thomas* 
/>Thu Aug 28 20:54:00 EDT 2003/
>Hi All,
>The same thing happening to me also. I have got MD 2.36, with SpamAssasssin 2.55 
>and Mcafee uvscan on my Soalris box mail gateway. In mimdefang-filter rule, I am
>screening out attachment with .pif and scr. Staff mail from the gateway is going  
>to another box running McAfee Webshield. The webshield box reported  it received 
>and filtered about 50 viruses. I noticed that all are two type viruses, Sobig and 
>Exploit-MIME.gen.b. How did it get through my MD? My MD installation on  3 Mailgateways 
>is filtering about 5000 to 10,000 virus per day in the last week.
>>>/ SMcGhee at ARCweb.com <http://lists.roaringpenguin.com/mailman/listinfo/mimedefang> 28/08/03 3:28:20 >>>
/Hello Ole and others,
	Just got back from lunch (mmmm, burger...) and was thinking about
this issue.  Ole, you suspect that it is either an MTA mangling the
attachment or a new virus.  I think that it is the first.  This is because
my MD implementation (and probably others) would ordinarily remove
attachments with bad filenames, even if the virus scanner didn't think it
was a virus.  The pif attachments are remaining in place, so I suspect
Sendmail or MD or that Perl module that MD uses to read and manipulate the
parts (the name escapes me) is missing the attachment.  What is equally
weird is that my Exchange server *DOES* pick up the attachment and removes
it.  The bounces seem to come from Exim (or what appears to be Exim).  That
could just be a coincidence.  This is weird behavior, though...



>/ > MD and uvscan is still catching viruses, but the ones that 
/>/ get through are
/>/ > sent from MAILER-DAEMON,  Mail Delivery System, and  Mail Delivery
/>/ > Subsystem to internal users.  Some of these addresses have 
/>/ full email
/>/ > addresses and some only have friendly names.  Checking the 
/>/ 	I'm seeing some of the same kind of behavior with clamscan.
/>/ Certainly lots of SoBig is getting caught (18821 over the last 48
/>/ hours against a total volume of 45282 emails, according to that
/>/ ever-so-useful tool GraphDefang) but occasionally a bounce from some
/>/ less-than-perfectly configured MTA somewhere will show up in a user's
/>/ mailbox with a defanged details.pif or what have you. 
/>/ 	I assumed this was either 1) an MTA truncating (or otherwise
/>/ mangling) the MIME attachment as part of the bounce process, or 2) a
/>/ new virus. I noted this morning that freshclam updated my DBs twice
/>/ recently, so I'd been leaning towards option 2, but I just rescanned
/>/ my sample of one of the newcomers and clamscan doesn't flag it.

More information about the MIMEDefang mailing list