Full Disclosure mailing list archives
Re: f-prot not catching mimail ? (now fixed)
From: Mike Tancsa <mike () sentex net>
Date: Tue, 05 Aug 2003 13:56:38 -0400
This is now fixed with an updated engine. I verified both with my Windows Desktop version as well with my FreeBSD version. This gets both versions of the virus I have found.
avscan1# f-prot *.zip Virus scanning report - 5 August 2003 @ 13:50 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.4 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 4 August 2003 MACRO.DEF created 4 August 2003 Search: message1.zip message4.zip new.zip Action: Report only Files: Attempt to identify files Switches: <none> /tmp/tmp2/message1.zip->message.html Infection: W32/Mimail.A@mm /tmp/tmp2/message4.zip->message.html Infection: W32/Mimail.A@mm /tmp/tmp2/new.zip->message1.zip Not scanned (encrypted) /tmp/tmp2/new.zip->message4.zip Not scanned (encrypted) Results of virus scanning: Files: 3 MBRs: 0 Boot sectors: 0 Objects scanned: 4 Infected: 2 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote:
>>I cannot see anything "special" in the MIME structure of Mimail that would >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of >>the ZIP that f-prot cannot unpack?). > > I was told its the encoding scheme in the .html file thats the problem. > Currently the scanner does not support that type of encoding. It seems to me that the HTML contains the binary EXE without any encoding: $ cat -v message.html | fold | head -5 MIME-Version: 1.0 Content-Location:File://foo.exe Content-Transfer-Encoding: binary MZM-^P^@^C^@^@^@^D^@^@^@M-^?M-^?^@^@M-8^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@ Regardless, f-prot should list the ZIP attachment, and the files contained within the ZIP ... Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- f-prot not catching mimail ? Mike Tancsa (Aug 02)
- RE: f-prot not catching mimail ? Curt Purdy (Aug 03)
- Re: f-prot not catching mimail ? dizzy (Aug 13)
- <Possible follow-ups>
- Re: f-prot not catching mimail ? Paul Szabo (Aug 03)
- Re: f-prot not catching mimail ? Mike Tancsa (Aug 04)
- RE: f-prot not catching mimail ? Aditya (Aug 05)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Nick FitzGerald (Aug 04)
- Re: f-prot not catching mimail ? (now fixed) Mike Tancsa (Aug 05)
- Re: f-prot not catching mimail ? Nik Reiman (Aug 06)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 06)