In 3 instances, there was a XLSX file within the winmail.dat. The other 3 instances, AFAIK, there was only a PDF file within the winmail.dat.
-----Original Message----- From: "Andy Schmidt" <[email protected]> Sent: Monday, August 24, 2015 11:13am To: [email protected] Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly Well, the question is whether ClamAV reported "clean" because it only looked at the byte pattern of some arbitrary file (in this case called winmail.dat), while ESET AV might have "knowledge" of winmail.dat files being "containers", but it might not have any "decoder" for winmail.dat files. In this case it might know that there is some sort of attached file inside the winmail.dat, which potentially could be an executable, or a file that might contain macros, etc. - so it would (correctly) report it as "can't be scanned" to alert you that there an embedded file is "sneaking by". I don't know this to be a FACT, I'm just throwing out a scenario that would account for the difference in behavior. You'd have to check with each vendor of course for an explanation. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Tolmachoff Sent: Monday, August 24, 2015 1:46 PM To: [email protected] Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly Thanks for the explanation Andy. But that still leaves the question as to why ESET AV reported "could not be scanned" while ClamAV reported a 0 meaning clean. -----Original Message----- From: "Andy Schmidt" <[email protected]> Sent: Friday, August 21, 2015 11:51am To: [email protected] Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly Winmail.dat is attached by Outlook when you choose Microsoft's legacy "RICH TEXT" as the message format, instead of "HTML" (or "Plain Text".) It predates SMTP, when there was a pre-Windows 2000 "Microsoft Mail" system for LANs... If I remember correctly, there is even a setting buried inside the Outlook "Contacts", where you can specify a "preferred" Email format for individual contacts. It's possible that (unknown to the user), some of his contacts have "rich text"... causing the same email to be formatted in different ways, yielding different results, for different recipients (but I'm vague on that one). -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Tolmachoff Sent: Friday, August 21, 2015 2:43 PM To: [email protected] Subject: [MBF] winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly OK, here is one I do not understand. This has happened at least 6 times that I know of in the last 2 days. An email was received and processed by Declude. It contained an attachment winmail.dat. BUT the sender had attached an XLSX file. After talking to the intended recipient (who also talked to the sender) the sender has stated that when he attached the XLSX file to the email, the file appeared as an EXCEL ICON in the body of the email not where you would normally see it under the subject line. This is in Outlook. The version he is using is Outlook 2013. (15.0) What caught the attachment was ESET AV had a result code of 10 which is "some files could not be scanned (may be threats)" which I then treat as infected. ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]>
