Deliver infected .xls file

General eFa discussion
Post Reply
mendark
Posts: 24
Joined: 03 Dec 2021 10:10

Deliver infected .xls file

Post by mendark »

Hello,
I've tested an infected .xls to view if efa detect virus or not.
So, virus was detected but email was delivered and i don't understand why, also i've tested an .img infected file but this type of file didn't pass, also infected file.
Why i did to do to block infected .xls file?
I attached log entry:
Jun 20 18:17:50 xxxxxxx MailScanner[12885]: New Batch: Scanning 1 messages, 92235 bytes
Jun 20 18:17:50 xxxxxxx MailScanner[12885]: Virus and Content Scanning: Starting
Jun 20 18:17:50 xxxxxxx MailScanner[12885]: Clamd::INFECTED::Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL :: ./4LRYDW6gkYz9ynPS/
Jun 20 18:17:50 xxxxxxx MailScanner[12885]: Found spam based virus Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL in 4LRYDW6gkYz9ynPS
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: Esets::INFECTED::DOC/TrojanDownloader.Agent.DOV
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: Virus Scanning: esetsefs found 1 infections
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: Infected message 4LRYDW6gkYz9ynPS.message came from
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: Virus Scanning: Found 1 viruses
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: <A> tag found in message 4LRYDW6gkYz9ynPS from usename@yahoo.com
Jun 20 18:17:51 xxxxxxx MailScanner[12885]: Spam Checks: Starting
Jun 20 18:17:53 xxxxxxx MailScanner[12885]: Requeue: 4LRYDW6gkYz9ynPS to 4LRYDW6gkYz9ynPS
Jun 20 18:17:53 xxxxxxx postfix/qmqpd[15182]: connect from localhost[127.0.0.1]
Jun 20 18:17:53 xxxxxxx postfix/qmqpd[15182]: 4LRYDd4xbnz9ynPT: client=localhost[127.0.0.1]
Jun 20 18:17:53 xxxxxxx opendmarc[2982]: ignoring connection from localhost
Thank you
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Deliver infected .xls file

Post by pdwalker »

What are the settings of your /etc/MailScanner/MailScanner.conf for the following entries?

Deliver Disinfected Files =
Silent Viruses =
Still Deliver Silent Viruses =
Still Deliver Silent Viruses Unmodified =

Also, can you tell me where I can find these test viruses so I can send them to myself and see what happens on my system?
mendark
Posts: 24
Joined: 03 Dec 2021 10:10

Re: Deliver infected .xls file

Post by mendark »

Deliver Disinfected Files = no
Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = no
Still Deliver Silent Viruses Unmodified = no

Test file is on my pc, if you want i can send you an email or sent in a private message on forum.

Thank you
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Deliver infected .xls file

Post by pdwalker »

I've emailed you privately with an address you can send them to.
mendark
Posts: 24
Joined: 03 Dec 2021 10:10

Re: Deliver infected .xls file

Post by mendark »

Hello,
You received my email?

Thank you
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Deliver infected .xls file

Post by pdwalker »

Sorry, I've been away.

No, I did not receive it.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Deliver infected .xls file

Post by pdwalker »

I got it.

clamav definitely detects is, and then it gets delivered.

investigating.
Post Reply