Re: [AMaViS-user] Someone missed a virus..
This is a discussion on Re: [AMaViS-user] Someone missed a virus.. within the Amavis User forums, part of the Anti-Spam and Anti-Virus Related Forums category; I think this is a bug as well. A PowerPoint document shows up as Microsoft Installer. The reason for this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2007
|
|||
|
|||
Re: [AMaViS-user] Someone missed a virus..
I think this is a bug as well.
A PowerPoint document shows up as Microsoft Installer. The reason for this is that the magic data file has this magic string commented out because of false positives with powerpoint: # False positive with PPT #0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer .... But later in the file, it is alive and well: 0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer Immediately following it is: 0 string \320\317\021\340\241\261\032\341 Microsoft Office Document which when converted to hex : 0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1 Microsoft Office Document is exactly the same initial 8 bytes as the previous entry. All three test files (empty word .doc, empty powerpoint.ppt, and the virus-laden Proforma_Invoice.doc file) match the Microsoft Installer entry. I presume the second entry should have been commented out as well. I've reported the findings to Christos Zoulas. As an aside, only 5 of the scanners at virus.org noted detection. Virus Found: ArcaVir 1.0.4 Trojan.Dropper.Delf.Aem ClamAV 0.90/3436 Trojan.Dropper-1047 F-PROT 4.6.7 W32/Dropper.ESR F-Secure 1.02 Trojan-Dropper.Win32.Delf.aem [AVP] Trend Micro 8.310-1002 TROJ_DROPPER.HKZ No Virus Found: avast! 3.0.0 AVG Anti Virus 7.5.47 BitDefender 7.1 CAT QuickHeal 9.00 Dr. Web 4.33.0 H+BEDV AntiVir 2.1.10-47 McAfee Virusscan 5.10.0 NOD32 2.51.1 Norman Virus Control 5.70.01 Panda 9.00.00 Sophos Sweep 4.17.0 VBA32 3.12.0.2 VirusBuster 1.3.3 MrC > -----Original Message----- > From: amavis-user-bounces@lists.sourceforge.net > [mailto:amavis-user-bounces@lists.sourceforge.net] On Behalf > Of Noel Jones > Sent: Friday, June 15, 2007 5:54 PM > To: amavis-user@lists.sourceforge.net > Subject: Re: [AMaViS-user] Someone missed a virus.. > > At 07:04 PM 6/15/2007, Mark Martinec wrote: > > >Seems the -i works better for this particular file, although > generally > >it is the other way around in my experience. > > On my system file(1) (file-4.21 from FreeBSD ports) > classifies *all* MS Word and Excel documents as "Microsoft > Installer", not just this one example. > > If everyone gets this same result, I would call it a bug in file(1). > > -- > Noel Jones ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ 
|
Linear Mode
