What version are you running Matt in version
3.0.5.20 they fixed a ms-tnef issue with winmail.dat.
This might be the issue you are
seeing.
Darrell
------------------------------------------------------------------------ Check
out http://www.invariantsystems.com for
utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.
----- Original Message -----
Sent: Tuesday, July 18, 2006 7:48
PM
Subject: [Declude.Virus] Invalid file
types triggering on an invalid file type
I found a message blocked for an "Invalid ZIP Vulnerability",
but it doesn't have a zip attachment. The only attachment on this
message is a winmail.dat. While that winmail.dat file clearly contains
data of some sort, I am pretty certain that it is triggering vulnerabilities
inappropriately, and I am positive that this message was not a
virus.
My Declude Virus logs are showing both the Invalid ZIP
Vulnerability and a bogus .jpg file. I would like to turn this detection
off. Is there a switch to turn off this detection?
Detail
follows:
HEADERS FROM THE SINGLE
ATTACHMENT ================================================================= ------=_NextPart_000_0056_01C6A9CF.4BDDA860 Content-Type:
application/ms-tnef;
name="winmail.dat" Content-Transfer-Encoding:
base64 Content-Disposition: attachment;
filename="winmail.dat"
VIRUS LOG
ENTRIES ================================================================= 07/17/2006
06:32:40.488 q674000a20000e465.smd Vulnerability flags = 862 07/17/2006
06:32:40.566 q674000a20000e465.smd MIME file: winmail.dat [base64;
Length=2312012 Checksum=33270092] 07/17/2006 06:32:40.800
q674000a20000e465.smd Virus scanner 1 reports exit code of 0 07/17/2006
06:32:41.253 q674000a20000e465.smd Virus scanner 2 reports exit code of
0 07/17/2006 06:32:41.253 q674000a20000e465.smd Found a bogus .jpg
file 07/17/2006 06:32:41.253 q674000a20000e465.smd Invalid ZIP
Vulnerability 07/17/2006 06:32:41.253 q674000a20000e465.smd Found a bogus
.Zip file 07/17/2006 06:32:41.253 q674000a20000e465.smd File(s) are
INFECTED [[Invalid ZIP Vulnerability]: 0] 07/17/2006 06:32:41.253
q674000a20000e465.smd Scanned: CONTAINS A VIRUS [MIME: 7
2314810] 07/17/2006 06:32:41.269 q674000a20000e465.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from
##.##.48.210] 07/17/2006 06:32:41.269 q674000a20000e465.smd Subject: FW:
M341092022 /
M341092023
Thanks,
Matt
--- This
E-mail came from the Declude.Virus mailing list. To unsubscribe, just send
an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".
The archives can be found at
http://www.mail-archive.com.
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
|