SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002710: Viruses in archive not removed. - MantisBT
MantisBT - Endian Firewall
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002710Endian FirewallProxy SMTPpublic2010-02-22 17:552011-03-11 08:43
Reporterbaldy 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version 
Customer Importance
Customer Occurrences
Queue
Summary0002710: Viruses in archive not removed.
DescriptionAmavis/Clamav does not remove viruses in zip files.

Also referred to as FedEx / UPS spam, these messages should be removed by amavisd, but they aren't.

Headers show it is detected, but still passed to spam quarantine instead of virus quarantine.

This also happened in EFW 2.2.

Regards,

Klaas-Jan
Steps To Reproduce
Additional InformationHeaders of the message.

Received: from mail.baldy.nl (192.168.200.1) by remote.baldy.nl
 (192.168.200.4) with Microsoft SMTP Server id 8.1.393.1; Mon, 22 Feb 2010
 16:53:26 +0100
Received: from localhost (localhost.localhost [127.0.0.1]) by mail.baldy.nl
 (Postfix) with ESMTP id 7D3C7C5A83 for <spam@nospam_baldy.nl>; Mon, 22 Feb 2010
 16:53:26 +0100 (CET)
X-Envelope-From: <Eric@nospam_goll.nl>
X-Envelope-To: <klaas-jan@nospam_baldy.nl>
X-Envelope-To-Blocked: <klaas-jan@nospam_baldy.nl>
X-Quarantine-ID: <lnVslTNOYLhL>
X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,Facebook_password
    _3921.exe
Received: from mail.baldy.nl ([127.0.0.1]) by localhost (mail.baldy.nl
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnVslTNOYLhL for
 <klaas-jan@nospam_baldy.nl>; Mon, 22 Feb 2010 16:53:22 +0100 (CET)
Received: from CPSMTPM-EML108.kpnxchange.com (Cpsmtpm-eml108.kpnxchange.com
 [195.121.3.12]) by mail.baldy.nl (Postfix) with ESMTP id EF754C5A82 for
 <klaas-jan@nospam_baldy.nl>; Mon, 22 Feb 2010 16:53:21 +0100 (CET)
Received: from goll.nl ([62.131.54.34]) by CPSMTPM-EML108.kpnxchange.com with
 Microsoft SMTPSVC(7.0.6001.18000); Mon, 22 Feb 2010 16:53:20 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
Subject: FW: Facebook Password Reset Confirmation! Customer Message.
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----_=_NextPart_001_01CAB3D6.B78AE7AC"
Date: Mon, 22 Feb 2010 16:50:11 +0100
Message-ID: <7542CEA85DEA5F40B140AC566325DF5607B480@goll-srv01.goll.local>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Facebook Password Reset Confirmation! Customer Message.
Thread-Index: Acqz1UBbXjn++6sbRZmaUEQiD2ABNAAAWiAA
From: Eric - Goll Financieel Advies <Eric@nospam_goll.nl>
To: "Klaas-Jan van der Borden" <klaas-jan@nospam_baldy.nl>
X-OriginalArrivalTime: 22 Feb 2010 15:53:20.0790 (UTC) FILETIME=[283CE360:01CAB3D7]
Return-Path: <>
X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1
TagsNo tags attached.
Relationships
Attached Fileszip Facebook_password _3921.zip (32,024) 2010-03-08 14:35
https://bugs.endian.com/file_download.php?file_id=360&type=bug
zip UPS_invoice_Nr19373.zip (47,150) 2010-03-08 14:37
https://bugs.endian.com/file_download.php?file_id=361&type=bug
Issue History
Date ModifiedUsernameFieldChange
2010-02-22 17:55baldyNew Issue
2010-03-05 14:07peter-endianStatusnew => acknowledged
2010-03-05 21:58baldyNote Added: 0003960
2010-03-08 11:57peter-endianNote Added: 0003966
2010-03-08 11:58peter-endianNote Added: 0003967
2010-03-08 14:35baldyNote Added: 0003970
2010-03-08 14:35baldyFile Added: Facebook_password _3921.zip
2010-03-08 14:37baldyFile Added: UPS_invoice_Nr19373.zip
2010-03-08 14:38baldyNote Added: 0003971
2010-03-08 17:38baldyNote Added: 0003986
2010-06-07 13:46peter-endianTarget Version => future
2011-03-11 08:43baldyNote Added: 0005932

Notes
(0003960)
baldy   
2010-03-05 21:58   
If needed I can add the zip file containing the virus for testing purposes.

Regards,

Klaas-Jan
(0003966)
peter-endian   
2010-03-08 11:57   
yes please, that could help
(0003967)
peter-endian   
2010-03-08 11:58   
could you try to disable the spam filter by increasing the spam level greatly and then repass that mail in order to understand if it would be recognized as a virus if not as spam?
probably this is only a problem with the order of precedence of the tests
(0003970)
baldy   
2010-03-08 14:35   
Peter,

Looks like you are correct.

After increasing spamlevel to 100 message is passed to quarantine destination (in this case a mail-enabled public folder.

What I also found is that virusnotifications are not send to the virus admin.

Virusinfected message was sent from spam@externaldomain to klaas-jan@mydomain with quarantine info@mydomain and virus admin kvdb@mydomain.

Only mailbox it was delivered to was info, the quarantine destination.

Regards,

Klaas-Jan

Received: from mail.baldy.nl (192.168.200.1) by remote.baldy.nl
 (192.168.200.4) with Microsoft SMTP Server (TLS) id 8.1.393.1; Mon, 8 Mar
 2010 15:29:50 +0100
Received: from localhost (localhost.localhost [127.0.0.1]) by mail.baldy.nl
 (Postfix) with ESMTP id EDCFAC5A83 for <info@nospam_baldy.nl>; Mon, 8 Mar 2010
 15:29:49 +0100 (CET)
X-Envelope-From: <Spam@nospam_goll.nl>
X-Envelope-To: <klaas-jan@nospam_baldy.nl>
X-Envelope-To-Blocked: <klaas-jan@nospam_baldy.nl>
X-Quarantine-ID: <lnCNZRj3zqmD>
X-Amavis-Alert: INFECTED, message contains virus: Trojan.Zbot-7440
X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,Facebook_password
    _3921.exe
Received: from mail.baldy.nl ([127.0.0.1]) by localhost (mail.baldy.nl
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnCNZRj3zqmD for
 <klaas-jan@baldy.nl>; Mon, 8 Mar 2010 15:29:49 +0100 (CET)
Received: from CPSMTPM-EML102.kpnxchange.com (cpsmtpm-eml102.kpnxchange.com
 [195.121.3.6]) by mail.baldy.nl (Postfix) with ESMTP id 8933DC5A82 for
 <klaas-jan@nospam_baldy.nl>; Mon, 8 Mar 2010 15:29:43 +0100 (CET)
Received: from goll.nl ([62.131.54.34]) by CPSMTPM-EML102.kpnxchange.com with
 Microsoft SMTPSVC(7.0.6001.18000); Mon, 8 Mar 2010 15:29:42 +0100
Content-Class: urn:content-classes:message
Subject: FW: Facebook Password Reset Confirmation! Customer Message.
Date: Mon, 8 Mar 2010 15:26:00 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----_=_NextPart_001_01CABECB.4F3EA6E8"
Message-ID: <7542CEA85DEA5F40B140AC566325DF5607E87F@goll-srv01.goll.local>
X-MS-Has-Attach: yes
X-MimeOLE: Produced By Microsoft Exchange V6.5
X-MS-TNEF-Correlator:
Thread-Topic: Facebook Password Reset Confirmation! Customer Message.
Thread-Index: Acqz1UBbXjn++6sbRZmaUEQiD2ABNAAAWiAAAryeYpAAAIkaqg==
References: <C8E4B6BD7957AA4DAA36BB8C6B509632AE2E56893E@BALDY-SBS01.BaldyIT.local>
From: Spam Mailbox <Spam@nospam_goll.nl>
To: <klaas-jan@nospam_baldy.nl>
X-OriginalArrivalTime: 08 Mar 2010 14:29:42.0917 (UTC) FILETIME=[CB22BB50:01CABECB]
Return-Path: <>
X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1
(0003971)
baldy   
2010-03-08 14:38   
Please note that attached files are infected, but as long as you do not open them and run the packed exe there is no problem.

Regards,

Klaas-Jan
(0003986)
baldy   
2010-03-08 17:38   
Also found that the virus is not removed sending it outbound through the GREEN smtp proxy.

This test was done with the same settings that allowed the RED smtp proxy to remove it when sending it inbound.
(0005932)
baldy   
2011-03-11 08:43   
Hi all,

When will this be fixed ?

Issue is open for over a year now and still present in 2.4.1.

Regards,

Baldy