Virus detection server message not shown

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Virus detection server message not shown

Post by jimimaseye » 2015-11-18 01:22

Calling the code readers:

Recently we have bolstered our AV/antispam securityy with the use of additional 3rd party signatures (for ClamAV) from Sanesecurities. On their site they offer 3x TEST methods to check your AV solution is working with their signatures. (Apologies but the 'advertising' is unavoidable, I need to show you this page for the purpose of this issue: http://sanesecurity.com/support/signature-testing/). You can see from the tests that 2x are based on BODY text (#1 and #3) and #2 is based on SUBJECT text.

Now, testing the 2x BODY text tests:
I send an email,with the relevant body text and my AV captures it with the server message relating to the removal of a Virus attachment whilst keeping the original body text (note that there isnt actually an attachment to be removed but I understand that this string represents one placed io the body stream):

screen shot:

SEND:
Send.PNG
RECEIVED
received.PNG
HOWEVER.......

when I do the same kind of test for 'test 2' which is about SUBJECT content (designed to test that the server fully sends the RAW message details to be scanned including headers), the message does get detected as a (test) virus but this is only clear by looking in APPLICATION log file but unlike the other test this email is received and is NOT marked in anyway as possessing a virus (despite being detected as such):

SENT:
Capture.PNG
LOG showing detection of correct (test) virus:
"APPLICATION" 4608 "2015-11-17 23:05:41.067" "SMTPDeliverer - Message 272392: Message attachments stripped (contained virus Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL)."
RECEIVED:
received.PNG
Why is the BODY test marked as virus but the 'SUBJECT' test is NOT marked as virus despite being detected as such?


As a further test, I sent the same 'subject' test email in but this time added an innocuous attachment (a .TXT file with nothing to mention in it). When this was received, it was still correctly identified (in Logs) but this time it DID add the 'virus removed' message (as well as astripping the .TXT file):
Capture2.PNG
Summary:
BODY signatures get stripped and replaced with the VIRUS_ATTACHMENT_REMOVED server message. But header signatures do not get marked with a server message despite still being detected (either VIRUS FOUND or VIRUS_NOTIFICATION would also be more appropriate).

Im asking if anyone could make sense of this (probably by being able to read the source) and to offer an opinion to whether the lack of consistency is justified.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 732
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Virus detection server message not shown

Post by katip » 2015-11-18 06:04

PMFJI mate,

i have no idea about this inconsistency but i didn't know that headers should be scanned by AV for malware!!!
quote from sanasecurity:
NOTE: TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.
having full respect for sanesecurity's competency, i really don't understand how a header can harm enduser? yes, theoretically links to malwares can be embedded in subject or extended headers but who cares? what's the percentage of endusers who wonder what full headers look like and even know how to read them? (one exception could be those List-Unsubscribe headers. but this becomes history very soon. see MS new policy : https://mail.live.com/mail/junkemail.aspx)
In order to receive unsubscribe feedback, senders must include an RFC2369-compliant List-Unsubscribe header containing a mailto: address. Please note that we only enable this feedback via email, so URIs for other protocols such as http will be ignored.
BTW i did this subject test too and neither ClamAV w/ss on server (called from within ASSP) nor Avast on PC claimed!!
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: Virus detection server message not shown

Post by jimimaseye » 2015-11-18 10:07

Just to be clear Katip, Clam FOUND the virus correctly. The problem was that HMS then didnt respond accordingly despite being informed that it had like it did with a body detection (therefore the end user would never know).

I think the importance of scanning headers is there because his signatures look for known patterns acting as antispam (as well as antivirus) and those patterns are often common in the subject or other headers (where the body or attachment may be randomly generated). But what do I know?! :roll:
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: Virus detection server message not shown

Post by sanesecurity » 2015-11-18 11:13

Just to explain why the tests need to check for "headers" and "body".

The signatures need to see the full raw message, headers and body, in order to get the best detection.

For example, if a Subject was "Invaice from bank" (ie. spelt incorrectly) and had a pdf attachment,
you could create a signature to pickup the text "Invaice from bank" from the Subject: line and
use it to block it.

So, while the headers aren't harmful, the full raw email must be passed from hmail to the ClamAV engine, which
from the logs you posted, it looks like it does.

Cheers,

Steve
Sanesecurity.com

Post Reply