Page 1 of 1

Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-11 18:18
by Buc
Hello everyone!

This is my first post here, so please be patient. ;-)

I just installed Security Essentials for Virus scanning and it seems to work pretty well. (very low mailflow on the server)
Eicar is detected and the Mail gets deleted when "Delete E-Mail" is checked.
But when I check "Delete Arrachment" the Attachment gets deleted and the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
I have no idea on that... Any hint where to look at?

Thx!
Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-11 18:46
by Dravion
Buc wrote:
2020-01-11 18:18
Hello everyone!

This is my first post here, so please be patient. ;-)

I just installed Security Essentials for Virus scanning and it seems to work pretty well. (very low mailflow on the server)
Eicar is detected and the Mail gets deleted when "Delete E-Mail" is checked.
But when I check "Delete Arrachment" the Attachment gets deleted and the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
I have no idea on that... Any hint where to look at?

Thx!
Buc
Yeah, this is because the complete Text of a hMailServer Email is stored with a single *.eml file inside the DATA Folder.
It also includes the Attachment as a MIME Base64 encoded series of cryptic chars. If something is deleted out of it externally,
it can cripple the whole Email itself.

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-11 19:02
by Buc
i see... But this makes the whole Feature "Delete Attachment" useless?
What does it depend on? The Scan Engine? The type of attachment?
I didn't find anyone else complaining about this, so expect it to work fine usually?

Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 00:14
by mattg
If the email had a virus in it, who knows how else it was broken
Perhaps the message body already had the strange text...

(That particular text could be part of an image file)

I think the AntiVirus details what is to be removed

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 01:59
by Buc
Just the Eicar Test File as eicar.zip
The "broken" part should be some text I wrote and my signature. ;-)

What do you mean by
I think the AntiVirus details what is to be removed
?

Anyway, I changed it to delete the messages and notify recepient. Neither me nor any customer ever received a legitimate mail with a virus attached.
Hope that MSE doesn't produce too many false positives. Just a second wall behind the Provider-Server using Clam-AV. If they use enhanced signatures I may as well turn it off again.

Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 05:01
by SorenR
Did they fix the bug in Security Essentials that if it failed to run it would return the code for virus?

I guess this is Microsoft saying "better safe than sorry" :twisted:

https://www.hmailserver.com/forum/viewtopic.php?t=27968
Return code is
0 if no malware is found or malware is successfully remediated and no
additional user action is required
2 if malware is found and not remediated or additional user action is
required to complete remediation or there is error in scanning.
Please check History for more information.

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 14:46
by Buc
Thank you for the hint!
That might be dangerous. Does hMailServer send ALL mails to the scanner or just the ones with attachments?
Any idea what kind of action or file could produce this "error". Difficult to estimate the impact if one does not know...

Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 15:18
by palinka
Buc wrote:
2020-01-12 01:59
Hope that MSE doesn't produce too many false positives. Just a second wall behind the Provider-Server using Clam-AV. If they use enhanced signatures I may as well turn it off again.

Buc
You may be on to something there.

Or you could set up clamav on your system. https://www.hmailserver.com/forum/viewt ... 21&t=26829

Windows defender is as buggy as any other ms software. Plus, there's no way it can keep up with clamav / Sane Security (hourly) definition updates. Defender updates daily with fewer definitions than Sane.

Basically, it's insane not to use Sane. :mrgreen:

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 15:53
by Buc
Looks like the path to follow. ;-)

What I am missing right now ist the the possibility to quarantine infected attachments in HMS instead of just deleting them. In case of false positives it's not nice having them sent to nirvana. Also there is no way for further investigation if the file vanished...
Whats the reason behind that? Was it ever discussed?
I tried MSE without "disableremediation". Eicar gets caught and quarantined but as there is return code 0 emitted (???) notification of recepients is impossible...

Is quarantine possible using ClamAV?

Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-12 19:15
by jimimaseye
Sure. Set this:

Code: Select all

ANTIVIRUS

GENERAL: When found - Delete Attachments
to report or notify (do not delete) then use rules move to quarantine where applicable.

[Entered by mobile. Excuse my spelling.]

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-13 01:32
by mattg
Buc wrote:
2020-01-12 15:53
Is quarantine possible using ClamAV?
Yes, if you call ClamAV from Spamassassin and score viruses rather than let hMailserver review them with Antivirus connections

hMailserver (correctly) thinks that if the antivirus says that the message is a virus - you don't want it.

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-14 02:15
by Buc
jimimaseye wrote:
2020-01-12 19:15
Sure. Set this:

Code: Select all

ANTIVIRUS

GENERAL: When found - Delete Attachments
to report or notify (do not delete) then use rules move to quarantine where applicable.

[Entered by mobile. Excuse my spelling.]

Can I set this rule on HMS or do you mean to handle this on the client?

*confused*
Buc

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-01-14 09:54
by jimimaseye
See https://www.hmailserver.com/forum/viewt ... 21&t=29038 and use the rule example posted as a guide (you'll figure it out).

[Entered by mobile. Excuse my spelling.]

Re: Antivirus Delete Attachment Message Body strange Characters

Posted: 2020-04-01 22:18
by SjoerdNLD
Buc wrote:
2020-01-11 18:18
the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
Hi Buc,

did you find a solution for the above "strange characters" actually it is base64 encoded, check it here https://www.base64decode.org/
yours says:
testfile Mit freundlichen Grüßen Olaf etc etc
Regards, Sjoerd