Discussion:
[Mimedefang] Configure uvscan to scan inside a zip file.
Lucas Albers
2003-06-26 20:11:02 UTC
Permalink
Has anyone configured File::Scan to scan inside zip files for virus?
A new sobig variant came out as a zip file attachment.


I sent throught a test sobig virus and it did not appear to detect the virus.

Details:
There is a new virus W32/***@MM
(http://vil.mcafee.com/dispVirus.asp?virus_k=100429) which showed up
today. It typically arrives in a zip file "your_details.zip".

I am currently blocking the attachment, while I configure uvscan to scan
in zip files.

Uvscan is called with the --secure switch which should force it to scan
inside of a zip file.
Pertinent Line:
/usr/bin/mimedefang.pl

# Run uvscan
my($code, $category, $action) =
run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure
--allole $path 2>&1", "Found");


Any ideas?
Brent J. Nordquist
2003-06-26 21:18:00 UTC
Permalink
On Thu, 26 Jun 2003, Lucas Albers <***@cs.montana.edu> wrote:

> Has anyone configured File::Scan to scan inside zip files for virus?

I was about to ask the same thing, for the same reason. There's a new
File::Scan 0.58 out that detects Sobig.e but not in its ZIP form. I've
asked the author whether he's up for adding a pattern for the ZIP form of
it.

> There is a new virus W32/***@MM
> (http://vil.mcafee.com/dispVirus.asp?virus_k=100429) which showed up
> today. It typically arrives in a zip file "your_details.zip".

Or "your_details.zi" (without the "p" for reasons explained on that site)
which fortunately makes it harder for users to infect their machines. :-)

> I am currently blocking the attachment,

By name?

--
Brent J. Nordquist <b-***@bethel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti
John
2003-06-26 22:25:09 UTC
Permalink
At 02:54 PM 6/26/2003, you wrote:


>On Thu, 26 Jun 2003, Brent J. Nordquist wrote:
>
> > Or "your_details.zi" (without the "p" for reasons explained on that site)
> > which fortunately makes it harder for users to infect their machines. :-)
>
> Somehow or another, we have a lot of campus users whose workstations
>have ".zi" associated with WinZIP. Not sure how that happened. We are
>getting hit by this. I am going to filter that filename.
>
> Another thing I don't understand is this - with the default.pif inside
>the zip file, apparently they dont have to manually launch the pif, just
>by opening the zip file, it launches the enclosed .pif. Anyone know how
>that works?

That's not the case. I open it last night knowing what it was to kinda
play with it and it did nothing. Various sites mention you have to execute
the .pif to get infected. It will not self run...


>Jim
>
>
>_______________________________________________
>MIMEDefang mailing list
>***@lists.roaringpenguin.com
>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


John Jaeger - Billings, Montana

EMail To : <mailto:***@jjgb.com>
Home Page : <http://www.jjgb.com>

PGP:
RSA Key ID: 0xAAEC7751 <http://www.jjgb.com/public_files/RSA_Key.zip>

"Our liberty is protected by four boxes...
The ballot box, the jury box, the soap box, and the cartridge box."
- Anonymous

"Soap Box" didn't work, now using the "Cartridge Box" 3/20/2003
John
2003-10-12 03:16:17 UTC
Permalink
At 02:54 PM 6/26/2003, you wrote:


>On Thu, 26 Jun 2003, Brent J. Nordquist wrote:
>
> > Or "your_details.zi" (without the "p" for reasons explained on that site)
> > which fortunately makes it harder for users to infect their machines. :-)
>
> Somehow or another, we have a lot of campus users whose workstations
>have ".zi" associated with WinZIP. Not sure how that happened. We are
>getting hit by this. I am going to filter that filename.
>
> Another thing I don't understand is this - with the default.pif inside
>the zip file, apparently they dont have to manually launch the pif, just
>by opening the zip file, it launches the enclosed .pif. Anyone know how
>that works?

That's not the case. I open it last night knowing what it was to kinda
play with it and it did nothing. Various sites mention you have to execute
the .pif to get infected. It will not self run...


>Jim
>
>
>_______________________________________________
>MIMEDefang mailing list
>***@lists.roaringpenguin.com
>http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


John Jaeger - Billings, Montana

EMail To : <mailto:***@jjgb.com>
Home Page : <http://www.jjgb.com>

PGP:
RSA Key ID: 0xAAEC7751 <http://www.jjgb.com/public_files/RSA_Key.zip>

"Our liberty is protected by four boxes...
The ballot box, the jury box, the soap box, and the cartridge box."
- Anonymous

"Soap Box" didn't work, now using the "Cartridge Box" 3/20/2003
Jim McCullars
2003-06-26 21:55:01 UTC
Permalink
On Thu, 26 Jun 2003, Brent J. Nordquist wrote:

> Or "your_details.zi" (without the "p" for reasons explained on that site)
> which fortunately makes it harder for users to infect their machines. :-)

Somehow or another, we have a lot of campus users whose workstations
have ".zi" associated with WinZIP. Not sure how that happened. We are
getting hit by this. I am going to filter that filename.

Another thing I don't understand is this - with the default.pif inside
the zip file, apparently they dont have to manually launch the pif, just
by opening the zip file, it launches the enclosed .pif. Anyone know how
that works?

Jim
Jason Englander
2003-07-01 01:56:00 UTC
Permalink
On Thu, 26 Jun 2003, Lucas Albers wrote:

> Has anyone configured File::Scan to scan inside zip files for virus?

I haven't, but you could always use File::MMagic in your filter to find
application/x-zip files in MD's work directory, then use Archive::Zip
to unzip them, then call (message|entity)_contains_virus_filescan()

Be careful of zip files with a gig of 0s in them, extracting zip files
that expand to be larger than the free space of your HD, etc.

Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Brent J. Nordquist
2003-10-12 03:16:17 UTC
Permalink
On Thu, 26 Jun 2003, Lucas Albers <***@cs.montana.edu> wrote:

> Has anyone configured File::Scan to scan inside zip files for virus?

I was about to ask the same thing, for the same reason. There's a new
File::Scan 0.58 out that detects Sobig.e but not in its ZIP form. I've
asked the author whether he's up for adding a pattern for the ZIP form of
it.

> There is a new virus W32/***@MM
> (http://vil.mcafee.com/dispVirus.asp?virus_k=100429) which showed up
> today. It typically arrives in a zip file "your_details.zip".

Or "your_details.zi" (without the "p" for reasons explained on that site)
which fortunately makes it harder for users to infect their machines. :-)

> I am currently blocking the attachment,

By name?

--
Brent J. Nordquist <b-***@bethel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti
Jim McCullars
2003-10-12 03:16:17 UTC
Permalink
On Thu, 26 Jun 2003, Brent J. Nordquist wrote:

> Or "your_details.zi" (without the "p" for reasons explained on that site)
> which fortunately makes it harder for users to infect their machines. :-)

Somehow or another, we have a lot of campus users whose workstations
have ".zi" associated with WinZIP. Not sure how that happened. We are
getting hit by this. I am going to filter that filename.

Another thing I don't understand is this - with the default.pif inside
the zip file, apparently they dont have to manually launch the pif, just
by opening the zip file, it launches the enclosed .pif. Anyone know how
that works?

Jim
Jason Englander
2003-10-12 03:16:18 UTC
Permalink
On Thu, 26 Jun 2003, Lucas Albers wrote:

> Has anyone configured File::Scan to scan inside zip files for virus?

I haven't, but you could always use File::MMagic in your filter to find
application/x-zip files in MD's work directory, then use Archive::Zip
to unzip them, then call (message|entity)_contains_virus_filescan()

Be careful of zip files with a gig of 0s in them, extracting zip files
that expand to be larger than the free space of your HD, etc.

Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
John McFarlane
2003-07-01 22:14:01 UTC
Permalink
I have had very good luck scanning the contents of zip files via uvscan. I
just updated the call to uvcan telling it to unzip if need be :)


John McFarlane



> > Has anyone configured File::Scan to scan inside zip files for virus?
>
>I haven't, but you could always use File::MMagic in your filter to find
>application/x-zip files in MD's work directory, then use Archive::Zip
>to unzip them, then call (message|entity)_contains_virus_filescan()
>
>Be careful of zip files with a gig of 0s in them, extracting zip files
>that expand to be larger than the free space of your HD, etc.
>
> Jason
Jason Englander
2003-07-01 22:28:01 UTC
Permalink
On Tue, 1 Jul 2003, John McFarlane wrote:

> I have had very good luck scanning the contents of zip files via uvscan. I
> just updated the call to uvcan telling it to unzip if need be :)

MD runs uvscan with these commandline options:

--noboot --secure --allole

>From the uvscan man page:

--secure
Examine all files. This option activates the --analyze and
--unzip options and deactivates the --selected and --extensions
options at the same time. By default, this option is off.

It already does unzip.

Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Lucas Albers
2003-07-01 23:41:02 UTC
Permalink
I tested this before I posted it.
It does have the line in /usr/bin/mimedefang.pl
run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --allole
$path 2>&1", "Found");

I can still send virus infected zip files through my mail server.
I just send myself a zipped copy of sobig, and it went through my mail
server without being detected and blocked.

And I have updated dat file to 4273, which detects zipped-sobig.


Jason,
Have you sent a virus infected zip through your mail server?
And it detected the virus and blocked the attachment?
--Luke


> On Tue, 1 Jul 2003, John McFarlane wrote:
>
>> I have had very good luck scanning the contents of zip files via uvscan.
>> I
>> just updated the call to uvcan telling it to unzip if need be :)
>
> MD runs uvscan with these commandline options:
>
> --noboot --secure --allole
>
>>From the uvscan man page:
>
> --secure
> Examine all files. This option activates the --analyze and
> --unzip options and deactivates the --selected and --extensions
> options at the same time. By default, this option is off.
>
> It already does unzip.
>
> Jason
>
> --
> Jason Englander <***@englanders.cc>
> 394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
>
> _______________________________________________
> MIMEDefang mailing list
> ***@lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
Jason Englander
2003-07-02 01:03:01 UTC
Permalink
On Tue, 1 Jul 2003, Lucas Albers wrote:

> Have you sent a virus infected zip through your mail server?
> And it detected the virus and blocked the attachment?

I don't use uvscan at home, it's too slow (and I won't give money to NAI).
A client of mine uses it, but I have them set up to get scanned with
File::Scan and clamd on three outside MX hosts, then uvscan on two
inside MX hosts. Nothing with a zip attachment has ever made it to
uvscan.

I'm a member of the clam antivirus signature "team", and I also have
a few ISP clients. I see so many viruses, signatures, e-mails with
infected attachments, and such every day that I can't even remember what
the deal was, but I think that client's MD filter was catching the Sobig.E
attachments before the signature was added. They have a very long,
complicated MD filter...

Running uvscan at the commandline against a Sobig.E sample that I have
does this:

# uvscan --secure \"your_details.zip
/home/jason/viruses/Worm/Sobig.E/"your_details.zip/DETAILS.PIF
Found the W32/***@MM virus !!!

I use Pine, which wouldn't let me attach a file with that name (it
doesn't like the quote), but I attached it as yd.zip and set the
client's MD to use only uvscan and it did find ***@MM in it.

I sent "your_details.zip through my home mail server using nail (my
/bin/mail) and clamd did detect it.

Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Lucas Albers
2003-07-02 17:54:01 UTC
Permalink
> I'm a member of the clam antivirus signature "team", and I also have
> a few ISP clients. I see so many viruses, signatures, e-mails with
> infected attachments, and such every day that I can't even remember what
> the deal was, but I think that client's MD filter was catching the Sobig.E
> attachments before the signature was added. They have a very long,
> complicated MD filter...
>
> Running uvscan at the commandline against a Sobig.E sample that I have
> does this:
Jason Englander,

Thanks for the info on configuring mimedefang to see NAI. Works.
I remember someone posting directions on configuring mimedefang to scan
using both clamav and NAI. We get a lot of virus's where I work, and so I
was thinking of doubling my detection chance by scanning with two virus
scanners.
--Luke
Jason Englander
2003-07-02 18:52:00 UTC
Permalink
On Wed, 2 Jul 2003, Lucas Albers wrote:

> Thanks for the info on configuring mimedefang to see NAI. Works.
> I remember someone posting directions on configuring mimedefang to scan
> using both clamav and NAI. We get a lot of virus's where I work, and so I
> was thinking of doubling my detection chance by scanning with two virus
> scanners.

Definitely a good idea. A new message_contains_virus() like this:

sub message_contains_virus () {
my($code, $cat, $act);
if ($Features{'Virus:CLAMD'}) {
($code, $cat, $act) = message_contains_virus_clamd();
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{"Virus:NAI"}) {
($code, $cat, $act) = message_contains_virus_nai();
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
return (wantarray ? (0, 'ok', 'ok') : 0);
}

and a entity_contains_virus() like this (if you use
entity_contains_virus()) should take care of it:

sub entity_contains_virus ($) {
my($e) = @_;
if ($Features{'Virus:CLAMD'}) {
($code, $cat, $act) = entity_contains_virus_clamd($e);
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{"Virus:NAI"}) {
($code, $cat, $act) = entity_contains_virus_nai($e);
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
return (wantarray ? (0, 'ok', 'ok') : 0);
}


Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Jason Englander
2003-10-12 03:16:20 UTC
Permalink
On Wed, 2 Jul 2003, Lucas Albers wrote:

> Thanks for the info on configuring mimedefang to see NAI. Works.
> I remember someone posting directions on configuring mimedefang to scan
> using both clamav and NAI. We get a lot of virus's where I work, and so I
> was thinking of doubling my detection chance by scanning with two virus
> scanners.

Definitely a good idea. A new message_contains_virus() like this:

sub message_contains_virus () {
my($code, $cat, $act);
if ($Features{'Virus:CLAMD'}) {
($code, $cat, $act) = message_contains_virus_clamd();
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{"Virus:NAI"}) {
($code, $cat, $act) = message_contains_virus_nai();
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
return (wantarray ? (0, 'ok', 'ok') : 0);
}

and a entity_contains_virus() like this (if you use
entity_contains_virus()) should take care of it:

sub entity_contains_virus ($) {
my($e) = @_;
if ($Features{'Virus:CLAMD'}) {
($code, $cat, $act) = entity_contains_virus_clamd($e);
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{"Virus:NAI"}) {
($code, $cat, $act) = entity_contains_virus_nai($e);
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
return (wantarray ? (0, 'ok', 'ok') : 0);
}


Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Lucas Albers
2003-10-12 03:16:20 UTC
Permalink
***@www.cs.montana.edu><5.1.0.14.0.2003070108
***@mail.clippard.com>
<***@mrhanky.englanders.cc><2357.153.90.19
***@www.cs.montana.edu>
<***@mrhanky.englanders.cc>
Message-ID: <***@www.cs.montana.edu>

> I'm a member of the clam antivirus signature "team", and I also have
> a few ISP clients. I see so many viruses, signatures, e-mails with
> infected attachments, and such every day that I can't even remember what
> the deal was, but I think that client's MD filter was catching the Sobig.E
> attachments before the signature was added. They have a very long,
> complicated MD filter...
>
> Running uvscan at the commandline against a Sobig.E sample that I have
> does this:
Jason Englander,

Thanks for the info on configuring mimedefang to see NAI. Works.
I remember someone posting directions on configuring mimedefang to scan
using both clamav and NAI. We get a lot of virus's where I work, and so I
was thinking of doubling my detection chance by scanning with two virus
scanners.
--Luke
Jason Englander
2003-10-12 03:16:19 UTC
Permalink
On Tue, 1 Jul 2003, Lucas Albers wrote:

> Have you sent a virus infected zip through your mail server?
> And it detected the virus and blocked the attachment?

I don't use uvscan at home, it's too slow (and I won't give money to NAI).
A client of mine uses it, but I have them set up to get scanned with
File::Scan and clamd on three outside MX hosts, then uvscan on two
inside MX hosts. Nothing with a zip attachment has ever made it to
uvscan.

I'm a member of the clam antivirus signature "team", and I also have
a few ISP clients. I see so many viruses, signatures, e-mails with
infected attachments, and such every day that I can't even remember what
the deal was, but I think that client's MD filter was catching the Sobig.E
attachments before the signature was added. They have a very long,
complicated MD filter...

Running uvscan at the commandline against a Sobig.E sample that I have
does this:

# uvscan --secure \"your_details.zip
/home/jason/viruses/Worm/Sobig.E/"your_details.zip/DETAILS.PIF
Found the W32/***@MM virus !!!

I use Pine, which wouldn't let me attach a file with that name (it
doesn't like the quote), but I attached it as yd.zip and set the
client's MD to use only uvscan and it did find ***@MM in it.

I sent "your_details.zip through my home mail server using nail (my
/bin/mail) and clamd did detect it.

Jason

--
Jason Englander <***@englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
Lucas Albers
2003-10-12 03:16:19 UTC
Permalink
I tested this before I posted it.
It does have the line in /usr/bin/mimedefang.pl
run_virus_scanner($Features{'Virus:NAI'} . " --noboot --secure --allole
$path 2>&1", "Found");

I can still send virus infected zip files through my mail server.
I just send myself a zipped copy of sobig, and it went through my mail
server without being detected and blocked.

And I have updated dat file to 4273, which detects zipped-sobig.


Jason,
Have you sent a virus infected zip through your mail server?
And it detected the virus and blocked the attachment?
--Luke


> On Tue, 1 Jul 2003, John McFarlane wrote:
>
>> I have had very good luck scanning the contents of zip files via uvscan.
>> I
>> just updated the call to uvcan telling it to unzip if need be :)
>
> MD runs uvscan with these commandline options:
>
> --noboot --secure --allole
>
>>From the uvscan man page:
>
> --secure
> Examine all files. This option activates the --analyze and
> --unzip options and deactivates the --selected and --extensions
> options at the same time. By default, this option is off.
>
> It already does unzip.
>
> Jason
>
> --
> Jason Englander <***@englanders.cc>
> 394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
>
> _______________________________________________
> MIMEDefang mailing list
> ***@lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
Jason Englander
2003-10-12 03:16:19 UTC
Permalink
On Tue, 1 Jul 2003, John McFarlane wrote:

> I have had very good luck scanning the contents of zip files via uvscan. I
> just updated the call to uvcan telling it to unzip if need be :)

MD runs uvscan with these commandline options:

--noboot --secure --allole
Tony Nugent
2003-07-02 15:29:01 UTC
Permalink
On Tue Jul 01 2003 at 08:36, John McFarlane wrote:

> I have had very good luck scanning the contents of zip files via uvscan. I
> just updated the call to uvcan telling it to unzip if need be :)

For what it's worth, uvscan/defang has been working flawlessly here
to correctly identify Sobig.e in its .zip/.zi format (ie, there has
been no need to unzip the attachment before scanning its contents).

> John McFarlane

> > > Has anyone configured File::Scan to scan inside zip files for virus?
> >
> >I haven't, but you could always use File::MMagic in your filter to find
> >application/x-zip files in MD's work directory, then use Archive::Zip
> >to unzip them, then call (message|entity)_contains_virus_filescan()
> >
> >Be careful of zip files with a gig of 0s in them, extracting zip files
> >that expand to be larger than the free space of your HD, etc.
> >
> > Jason

Cheers
Tony
John McFarlane
2003-10-12 03:16:19 UTC
Permalink
I have had very good luck scanning the contents of zip files via uvscan. I
just updated the call to uvcan telling it to unzip if need be :)


John McFarlane



> > Has anyone configured File::Scan to scan inside zip files for virus?
>
>I haven't, but you could always use File::MMagic in your filter to find
>application/x-zip files in MD's work directory, then use Archive::Zip
>to unzip them, then call (message|entity)_contains_virus_filescan()
>
>Be careful of zip files with a gig of 0s in them, extracting zip files
>that expand to be larger than the free space of your HD, etc.
>
> Jason
Tony Nugent
2003-10-12 03:16:19 UTC
Permalink
On Tue Jul 01 2003 at 08:36, John McFarlane wrote:

> I have had very good luck scanning the contents of zip files via uvscan. I
> just updated the call to uvcan telling it to unzip if need be :)

For what it's worth, uvscan/defang has been working flawlessly here
to correctly identify Sobig.e in its .zip/.zi format (ie, there has
been no need to unzip the attachment before scanning its contents).

> John McFarlane

> > > Has anyone configured File::Scan to scan inside zip files for virus?
> >
> >I haven't, but you could always use File::MMagic in your filter to find
> >application/x-zip files in MD's work directory, then use Archive::Zip
> >to unzip them, then call (message|entity)_contains_virus_filescan()
> >
> >Be careful of zip files with a gig of 0s in them, extracting zip files
> >that expand to be larger than the free space of your HD, etc.
> >
> > Jason

Cheers
Tony
Loading...