Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
Le 12/05/2020 à 16:36, Andreas Metzler a écrit : > On 2020-05-12 brunoc68 wrote: >> Le 11/05/2020 à 17:24, Andreas Metzler a écrit : > [...] >>> Are you positive you are testing this correctly? >>> swaks -s mail.server -f sender@address -t rcpt@adress --body 'X5O!P...' >>> Replace X5O!P... with the full tests string from >>> https://en.wikipedia.org/wiki/EICAR_test_file >> Dear Andreas, >> With the command line you suggested it is detected as virus. >> As soon as I add text before and after the EICAR signature, it is not >> detected anymore as virus. >> So I tested again with Thunderbird as mail client : same. >> Basically with the Eicar signature alone in the body, it is detected as >> virus. >> As soon as I add text on top of the Eicar signature, it passes through. >> Is it normal behavior ? > Hello Bruno, > > Exim passes the mail message unchanged as it is on to the virus > scanner. If you sent the message with Thunderbird there might be some > encoding on top (base64 or QP) instead of the literal string. > It depends on the AV scanner and its configuration whether it will > undo these steps before checking. clamscan on the mailbox file might be > enlightening. > > cu Andreas Hello Andreas, I got the same behavior with Thunderbird as with swaks : even in the command line, as soon as I had characters before and after the Eicar signature, the mail passes through the antivirus. I guess this should not be, at least it was not the case in the past. cu Bruno
Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
Dear Andreas, With the command line you suggested it is detected as virus. As soon as I add text before and after the EICAR signature, it is not detected anymore as virus. So I tested again with Thunderbird as mail client : same. Basically with the Eicar signature alone in the body, it is detected as virus. As soon as I add text on top of the Eicar signature, it passes through. Is it normal behavior ? cu Bruno Le 11/05/2020 à 17:24, Andreas Metzler a écrit : > On 2020-04-29 brunoc68 wrote: > [...] >> Actually the virus filtering works, but only with the attachments. The >> issue is the body of the email that goes through with the eicar >> signature ; so I expect any html virus in the body can go through... > [...] > > Hello, > > Are you positive you are testing this correctly? > > swaks -s mail.server -f sender@address -t rcpt@adress --body 'X5O!P...' > > Replace X5O!P... with the full tests string from > https://en.wikipedia.org/wiki/EICAR_test_file > > cu Andreas
Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
Le 28/04/2020 à 19:46, Andreas Metzler a écrit : > On 2020-04-28 brunoc68 wrote: >> Package: exim4-daemon-heavy >> Version: 4.92-8+deb10u3 >> Severity: normal >> Dear Maintainer, >>* What led up to the situation? >> Installation of exim4-daemon-heavy with av_scanner = clamd >>* What exactly did you do (or not do) that was effective (or >> ineffective)? >> 1. include EICAR virus signature in .txt or .zip attachment >> 2. include EICAR virus signature in message body >>* What was the outcome of this action? >> 1. mail refused at ACL time >> 2. mail accepted : message found as clean in clamd log >>* What outcome did you expect instead? >> 1. outcome ok >> 2. mail refused at ACL time > Hello, > > You will also need to run the av scanner in the DATA acl. > > cu Andreas Dear Andreas, that was done : vi acl/40_exim4-config_check_data : ... deny message = This message was detected as possible malware ($malware_name). malware = * ... Actually the virus filtering works, but only with the attachments. The issue is the body of the email that goes through with the eicar signature ; so I expect any html virus in the body can go through...
Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
Package: exim4-daemon-heavy Version: 4.92-8+deb10u3 Severity: normal Dear Maintainer, * What led up to the situation? Installation of exim4-daemon-heavy with av_scanner = clamd * What exactly did you do (or not do) that was effective (or ineffective)? 1. include EICAR virus signature in .txt or .zip attachment 2. include EICAR virus signature in message body * What was the outcome of this action? 1. mail refused at ACL time 2. mail accepted : message found as clean in clamd log * What outcome did you expect instead? 1. outcome ok 2. mail refused at ACL time -- System Information: Debian Release: 9.5 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages exim4-daemon-heavy depends on: ii debconf [debconf-2.0] 1.5.61 pn exim4-base ii libc6 2.24-11+deb9u3 ii libdb5.3 5.3.28-12+deb9u1 ii libgnutls-dane03.5.8-5+deb9u3 ii libgnutls303.5.8-5+deb9u3 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u3 ii libmariadbclient18 10.1.37-0+deb9u1 ii libpam0g 1.1.8-3.6 ii libpcre3 2:8.39-3 ii libperl5.245.24.1-3+deb9u5 ii libpq5 9.6.17-0+deb9u1 ii libsasl2-2 2.1.27~101-g0780600+dfsg-3+deb9u1 ii libsqlite3-0 3.16.2-5+deb9u1 exim4-daemon-heavy recommends no packages. exim4-daemon-heavy suggests no packages.
