Antivirus Delete Attachment Message Body strange Characters

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-11 18:18

Hello everyone!

This is my first post here, so please be patient. ;-)

I just installed Security Essentials for Virus scanning and it seems to work pretty well. (very low mailflow on the server)
Eicar is detected and the Mail gets deleted when "Delete E-Mail" is checked.
But when I check "Delete Arrachment" the Attachment gets deleted and the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
I have no idea on that... Any hint where to look at?

Thx!
Buc

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Dravion » 2020-01-11 18:46

Buc wrote:
2020-01-11 18:18
Hello everyone!

This is my first post here, so please be patient. ;-)

I just installed Security Essentials for Virus scanning and it seems to work pretty well. (very low mailflow on the server)
Eicar is detected and the Mail gets deleted when "Delete E-Mail" is checked.
But when I check "Delete Arrachment" the Attachment gets deleted and the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
I have no idea on that... Any hint where to look at?

Thx!
Buc
Yeah, this is because the complete Text of a hMailServer Email is stored with a single *.eml file inside the DATA Folder.
It also includes the Attachment as a MIME Base64 encoded series of cryptic chars. If something is deleted out of it externally,
it can cripple the whole Email itself.

Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-11 19:02

i see... But this makes the whole Feature "Delete Attachment" useless?
What does it depend on? The Scan Engine? The type of attachment?
I didn't find anyone else complaining about this, so expect it to work fine usually?

Buc

User avatar
mattg
Moderator
Moderator
Posts: 20897
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Antivirus Delete Attachment Message Body strange Characters

Post by mattg » 2020-01-12 00:14

If the email had a virus in it, who knows how else it was broken
Perhaps the message body already had the strange text...

(That particular text could be part of an image file)

I think the AntiVirus details what is to be removed
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-12 01:59

Just the Eicar Test File as eicar.zip
The "broken" part should be some text I wrote and my signature. ;-)

What do you mean by
I think the AntiVirus details what is to be removed
?

Anyway, I changed it to delete the messages and notify recepient. Neither me nor any customer ever received a legitimate mail with a virus attached.
Hope that MSE doesn't produce too many false positives. Just a second wall behind the Provider-Server using Clam-AV. If they use enhanced signatures I may as well turn it off again.

Buc

User avatar
SorenR
Senior user
Senior user
Posts: 3623
Joined: 2006-08-21 15:38
Location: Denmark

Re: Antivirus Delete Attachment Message Body strange Characters

Post by SorenR » 2020-01-12 05:01

Did they fix the bug in Security Essentials that if it failed to run it would return the code for virus?

I guess this is Microsoft saying "better safe than sorry" :twisted:

https://www.hmailserver.com/forum/viewtopic.php?t=27968
Return code is
0 if no malware is found or malware is successfully remediated and no
additional user action is required
2 if malware is found and not remediated or additional user action is
required to complete remediation or there is error in scanning.
Please check History for more information.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-12 14:46

Thank you for the hint!
That might be dangerous. Does hMailServer send ALL mails to the scanner or just the ones with attachments?
Any idea what kind of action or file could produce this "error". Difficult to estimate the impact if one does not know...

Buc

palinka
Senior user
Senior user
Posts: 1968
Joined: 2017-09-12 17:57

Re: Antivirus Delete Attachment Message Body strange Characters

Post by palinka » 2020-01-12 15:18

Buc wrote:
2020-01-12 01:59
Hope that MSE doesn't produce too many false positives. Just a second wall behind the Provider-Server using Clam-AV. If they use enhanced signatures I may as well turn it off again.

Buc
You may be on to something there.

Or you could set up clamav on your system. https://www.hmailserver.com/forum/viewt ... 21&t=26829

Windows defender is as buggy as any other ms software. Plus, there's no way it can keep up with clamav / Sane Security (hourly) definition updates. Defender updates daily with fewer definitions than Sane.

Basically, it's insane not to use Sane. :mrgreen:

Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-12 15:53

Looks like the path to follow. ;-)

What I am missing right now ist the the possibility to quarantine infected attachments in HMS instead of just deleting them. In case of false positives it's not nice having them sent to nirvana. Also there is no way for further investigation if the file vanished...
Whats the reason behind that? Was it ever discussed?
I tried MSE without "disableremediation". Eicar gets caught and quarantined but as there is return code 0 emitted (???) notification of recepients is impossible...

Is quarantine possible using ClamAV?

Buc

User avatar
jimimaseye
Moderator
Moderator
Posts: 8645
Joined: 2011-09-08 17:48

Re: Antivirus Delete Attachment Message Body strange Characters

Post by jimimaseye » 2020-01-12 19:15

Sure. Set this:

Code: Select all

ANTIVIRUS

GENERAL: When found - Delete Attachments
to report or notify (do not delete) then use rules move to quarantine where applicable.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20897
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Antivirus Delete Attachment Message Body strange Characters

Post by mattg » 2020-01-13 01:32

Buc wrote:
2020-01-12 15:53
Is quarantine possible using ClamAV?
Yes, if you call ClamAV from Spamassassin and score viruses rather than let hMailserver review them with Antivirus connections

hMailserver (correctly) thinks that if the antivirus says that the message is a virus - you don't want it.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Buc
New user
New user
Posts: 6
Joined: 2020-01-11 16:52
Location: Germany

Re: Antivirus Delete Attachment Message Body strange Characters

Post by Buc » 2020-01-14 02:15

jimimaseye wrote:
2020-01-12 19:15
Sure. Set this:

Code: Select all

ANTIVIRUS

GENERAL: When found - Delete Attachments
to report or notify (do not delete) then use rules move to quarantine where applicable.

[Entered by mobile. Excuse my spelling.]

Can I set this rule on HMS or do you mean to handle this on the client?

*confused*
Buc

User avatar
jimimaseye
Moderator
Moderator
Posts: 8645
Joined: 2011-09-08 17:48

Re: Antivirus Delete Attachment Message Body strange Characters

Post by jimimaseye » 2020-01-14 09:54

See https://www.hmailserver.com/forum/viewt ... 21&t=29038 and use the rule example posted as a guide (you'll figure it out).

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

SjoerdNLD
New user
New user
Posts: 5
Joined: 2019-04-03 22:50

Re: Antivirus Delete Attachment Message Body strange Characters

Post by SjoerdNLD » 2020-04-01 22:18

Buc wrote:
2020-01-11 18:18
the Message Body contains strange characters instead of the message text.

Code: Select all

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

dGVzdGZpbGUNCg0KIA0KTWl0IGZyZXVuZGxpY2hlbiBHcsO8w59lbiANCk9sYWYgTMO8Y2tmZWxk
DQogDQpBQ0hUVU5HIQ0KDQpCw7xybyB1bmQgV2Vya3N0YXR0IGJlZmluZGVuIHNpY2ggdm9yw7xi
ZXJnZWhlbmQgaW4gRGlldHplbmJhY2ghDQoNCml0LXNlcnZpY2UgT0xBRiBMw5xDS0ZFTEQNCklt
IFRyaWVyaXNjaGVuIEhvZiAyDQpELTYwMzExIEZyYW5rZnVydA0KIA0KVGVsLjogMDY5LTIxOTk0
ODQ4DQpGQVg6IDA2OS00NjkzOTkyNA0KV2ViOiBodHRwOi8vd3d3LmNvbXB1dGVyc2VydmljZS1m
Zm0uZGUNCk1haWw6IGtvbnRha3RAY29tcHV0ZXJzZXJ2aWNlLWZmbS5kZQ0KDQo=
Hi Buc,

did you find a solution for the above "strange characters" actually it is base64 encoded, check it here https://www.base64decode.org/
yours says:
testfile Mit freundlichen Grüßen Olaf etc etc
Regards, Sjoerd

Post Reply