eFa not block infected files detected by ESET

Bugs in eFa 4
Post Reply
mendark
Posts: 22
Joined: 03 Dec 2021 10:10

eFa not block infected files detected by ESET

Post by mendark »

Hello,
I found this entry in my maillog:
Jul 13 03:15:55 mailout01 MailScanner[51365]: New Batch: Scanning 1 messages, 342451 bytes
Jul 13 03:15:55 mailout01 MailScanner[51365]: Virus and Content Scanning: Starting
Jul 13 03:16:01 mailout01 MailScanner[51365]: Esets::INFECTED::Win32/Exploit.CVE-2017-11882.F
Jul 13 03:16:01 mailout01 MailScanner[51365]: Virus Scanning: esetsefs found 1 infections
Jul 13 03:16:01 mailout01 MailScanner[51365]: Infected message 4LjJ7B56M3zB5qvH.message came from
Jul 13 03:16:01 mailout01 MailScanner[51365]: Virus Scanning: Found 1 viruses
Jul 13 03:16:01 mailout01 MailScanner[51365]: <A> tag found in message 4LjJ7B56M3zB5qvH from shipment.info@one-line.com
Jul 13 03:16:01 mailout01 MailScanner[51365]: Spam Checks: Starting
Jul 13 03:16:06 mailout01 MailScanner[51365]: Requeue: 4LjJ7B56M3zB5qvH to 4LjJ7B56M3zB5qvH
Jul 13 03:16:06 mailout01 postfix/qmqpd[52744]: connect from localhost[127.0.0.1]
Jul 13 03:16:06 mailout01 postfix/qmqpd[52744]: 4LjJ7V3lrbzB5qvJ: client=localhost[127.0.0.1]
Jul 13 03:16:06 mailout01 opendmarc[3104]: ignoring connection from localhost
Jul 13 03:16:06 mailout01 postfix/cleanup[52720]: 4LjJ7V3lrbzB5qvJ: message-id=<20220713021122.DB7427BA0F81069B@one-line.com>
Jul 13 03:16:06 mailout01 opendkim[3100]: 4LjJ7V3lrbzB5qvJ: no signature data
Jul 13 03:16:06 mailout01 postfix/qmqpd[52744]: disconnect from localhost[127.0.0.1]
Jul 13 03:16:06 mailout01 postfix/qmgr[2450]: 4LjJ7V3lrbzB5qvJ: from=<shipment.info@one-line.com>, size=342508, nrcpt=1 (queue active)
Jul 13 03:16:06 mailout01 MailScanner[51365]: Uninfected: Delivered 1 messages
Jul 13 03:16:06 mailout01 MailScanner[51365]: Deleted 1 messages from processing-database
Jul 13 03:16:06 mailout01 MailScanner[51365]: MailWatch: Logging message 4LjJ7B56M3zB5qvH to SQL
Jul 13 03:16:06 mailout01 MailScanner[51368]: MailWatch: 4LjJ7B56M3zB5qvH: Logged to MailWatch SQL
Problem is, email was delivered, not blocked. How can i do to block files that ESET vired as infected?

Thank you
User avatar
shawniverson
Posts: 3590
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFa not block infected files detected by ESET

Post by shawniverson »

Well, that's not good. It is most definitely infected. Time to do a bug hunt.
mendark
Posts: 22
Joined: 03 Dec 2021 10:10

Re: eFa not block infected files detected by ESET

Post by mendark »

Ok, that sound good.
When you want, i can test this type of email to view if block email.

Thank you
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: eFa not block infected files detected by ESET

Post by pdwalker »

Similarly, from this thread
viewtopic.php?p=19107#p19107

clamav is passing on a file it thinks is a virus:
Aug 9 16:43:19 efa4 MailScanner[25395]: New Batch: Scanning 1 messages, 76484 bytes
Aug 9 16:43:19 efa4 MailScanner[25395]: Virus and Content Scanning: Starting
Aug 9 16:43:19 efa4 MailScanner[25395]: Clamd::INFECTED:: Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL :: ./4M266D0FjqzMy28c/ExcelMacroVirus.xls
Aug 9 16:43:19 efa4 MailScanner[25395]: Found spam based virus Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL in 4M266D0FjqzMy28c
Aug 9 16:43:19 efa4 MailScanner[25395]: Found spam based virus Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL in 4M266D0FjqzMy28c
Aug 9 16:43:21 efa4 MailScanner[25395]: Spam Checks: Starting
Aug 9 16:43:29 efa4 MailScanner[25395]: Message 4M266D0FjqzMy28c from 74.207.241.178 (root@example1.com) to example2.com is not spam, SpamAssassin (not cached, score=-9.91, required 4, autolearn=not spam, ASNPF_PASS -0.20, BAYES_00 -6.00, MS_FOUND_SPAMVIRUS 3.00, MXPF_PASS -0.50, OW_REF_EMAIL_D -4.70, OW_SENT_EMAIL_D -1.40, SPF_HELO_NONE 0.00, SPF_PASS -0.00, TXREP -0.10, T_SCC_BODY_TEXT_LINE -0.01)
Aug 9 16:43:29 efa4 MailScanner[25395]: Requeue: 4M266D0FjqzMy28c to 4M266D0FjqzMy28c
debugging.

Code: Select all

[root@efa4 bin]# decode Sanesecurity.Badmacro.XlsM.Urlmon1
==>
[badmacro.ndb] Sanesecurity.Badmacro.XlsM.Urlmon1:2:*:D0CF11E0*6E6C6F6164546F4669*75726C6D6F
<==
VIRUS NAME: Sanesecurity.Badmacro.XlsM.Urlmon1
TARGET TYPE: OLE2
OFFSET: *
DECODED SIGNATURE:

���{WILDCARD_ANY_STRING}nloadToFi{WILDCARD_ANY_STRING}urlmo
[root@efa4 bin]# cat decode
So the signature is in the badmacro.ndb database - let's see what this is

the /etc/clamav-unofficial-sigs/master.conf lists the following in the sanesecurity db configuration:

Code: Select all

badmacro.ndb|MEDIUM  # Blocks dangerous macros embedded in Word/Excel/Xml/RTF/JS documents
The /var/log/clamd.scan log file shows it being detected

Code: Select all

Tue Aug  9 16:40:24 2022 -> SelfCheck: Database status OK.
Tue Aug  9 16:43:19 2022 -> /var/spool/MailScanner/incoming/25395/4M266D0FjqzMy28c/nExcelMacroVirus.xls: Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL FOUND
Tue Aug  9 16:43:19 2022 -> /var/spool/MailScanner/incoming/25395/4M266D0FjqzMy28c.message: Sanesecurity.Badmacro.XlsM.Urlmon1.UNOFFICIAL FOUND
Tue Aug  9 16:51:03 2022 -> SelfCheck: Database status OK.
So... I have no idea why clamav is detecting it, but passing it through.
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: eFa not block infected files detected by ESET

Post by pdwalker »

I'm also testing with the EICAR test virus (https://www.eicar.org/download-anti-malware-testfile/) and that gets blocked properly.

[edit: ignore the following. MS_FOUND_SPAMVIRUS is one of my own custom rules.]
Comparing the two messages, I am seeing the following

the spamassassin MS_FOUND_SPAMVIRUS rule gets triggered for the excel macro virus, but does not for EICAR.

So it seems as if the macro virus in the sanesecurity is actually being treated as spam rather than as a virus, and that is why it is getting passed through.

This doesn't explain why the first message is letting the detected infected file through, although there may be similar reasons. What are the spamassassin headers on that particular message?
I'm out of further ideas on this.
Post Reply