Re: [AMaViS-user] Someone missed a virus..

Fri, 15 Jun 2007 21:18:32 -0700 

I think this is a bug as well.

A PowerPoint document shows up as Microsoft Installer.  The reason for this
is that the magic data file has this magic string commented out because of
false positives with powerpoint:

# False positive with PPT
#0       string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00
         \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
         \x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
...

But later in the file, it is alive and well:

0       string  \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00
        \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
        \x00\x00\x3E\x00\x03\x00\xFE\xFF  Microsoft Installer

Immediately following it is:

0       string  \320\317\021\340\241\261\032\341        Microsoft Office
Document

which when converted to hex :

0       string  \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1        Microsoft Office
Document

is exactly the same initial 8 bytes as the previous entry.

All three test files (empty word .doc, empty powerpoint.ppt, and the
virus-laden Proforma_Invoice.doc file) match the Microsoft Installer entry.
I presume the second entry should have been commented out as well.  I've
reported the findings to Christos Zoulas.

As an aside, only 5 of the scanners at virus.org noted detection.

Virus Found:

ArcaVir 1.0.4            Trojan.Dropper.Delf.Aem
ClamAV 0.90/3436         Trojan.Dropper-1047
F-PROT 4.6.7             W32/Dropper.ESR
F-Secure 1.02            Trojan-Dropper.Win32.Delf.aem [AVP]
Trend Micro 8.310-1002   TROJ_DROPPER.HKZ

No Virus Found:

avast! 3.0.0            
AVG Anti Virus 7.5.47   
BitDefender 7.1         
CAT QuickHeal 9.00      
Dr. Web 4.33.0          
H+BEDV AntiVir 2.1.10-47 
McAfee Virusscan 5.10.0  
NOD32 2.51.1             
Norman Virus Control 5.70.01  
Panda 9.00.00            
Sophos Sweep 4.17.0      
VBA32 3.12.0.2           
VirusBuster 1.3.3


MrC

 

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Noel Jones
> Sent: Friday, June 15, 2007 5:54 PM
> To: amavis-user@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
> 
> At 07:04 PM 6/15/2007, Mark Martinec wrote:
> 
> >Seems the -i works better for this particular file, although 
> generally 
> >it is the other way around in my experience.
> 
> On my system file(1) (file-4.21 from FreeBSD ports) 
> classifies *all* MS Word and Excel documents as "Microsoft 
> Installer", not just this one example.
> 
> If everyone gets this same result, I would call it a bug in file(1).
> 
> --
> Noel Jones 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to