github-actions[bot]
commented
2 years ago Thank you for submitting your first issue to MailScanner! We will respond to you soon!
Closed ez-w closed 2 years ago
github-actions[bot]
commented
2 years ago Thank you for submitting your first issue to MailScanner! We will respond to you soon!
Your f-secure-12 scan use this options in file /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm
but fsanalyze -h indicate
--detect-encrypted-archives=VALUE Treat encrypted archives as malware. VALUE can be 'yes' or 'no'. (Policy default: no)
Example logs F-Secure after scan an email with password file protected in attachment
{"client_address":"localhost:0","connection_id":1478587398420332,"response_status":200,"file_path":"/var/spool/MailScanner/incoming/10755/222K4Mpd028767/nzipassword.zip","request_id":0,"request_line":"REQMOD icap://localhost/reqmod?engine_scan_only=0&scan_archives=1&block_archive_max_nested=0&block_encrypted_archives=1&scan_riskware=1&security_cloud=0&stop_on_first=0&antispam=0&max_nested=5 ICAP/1.0","content_length":18482,"content_sha1":"fb3b09ad2a15aae17434c35803aa49a56d03c168","user_agent":"etc/fsanalyze","verdict":"suspicious","verdict_source":"fsav","detection_name":"Encrypted_archive","errors":{"encrypted":true},"times":{"orsp-nrs":0,"orsp-frs":0,"fsav":0.0363400870000000000837,"antispam":0},"date":"2022-03-02T20:04:24.541658Z","duration":0.0375703100000000025926}
MailScanner logs
Mar 2 21:04:24 mx3 MailScanner[10755]: ./222K4Mpd028767/zipassword.zip: result=infected infection=Encrypted_archive member-name=image.jpg Mar 2 21:04:24 mx3 MailScanner[10755]: Infected message 222K4Mpd028767 came from xxx.xxx.xxx.xxx Mar 2 21:04:24 mx3 MailScanner[10755]: Saved entire message to /var/spool/MailScanner/quarantine/20220302/222K4Mpd028767 Mar 2 21:04:24 mx3 MailScanner[10755]: Saved infected "zipassword.zip" to /var/spool/MailScanner/quarantine/20220302/222K4Mpd028767
Therefore emails containing a password-protected attachment are blocked in any case by f-secure-12 and MailScanner option "Allow Password-Protected Archives", yes or no, has no effect.
After change --detect-encrypted-archives=no in SweepViruses.pm the result for F-Secure scan the same email is
{"client_address":"localhost:0","connection_id":1478587398422515,"response_status":204,"file_path":"/var/spool/MailScanner/incoming/30051/222K8NuS030123/nmsg-30051-1.txt","request_id":0,"request_line":"REQMOD icap://localhost/reqmod?engine_scan_only=0&scan_archives=1&block_archive_max_nested=0&block_encrypted_archives=0&scan_riskware=1&security_cloud=0&stop_on_first=0&antispam=0&max_nested=5 ICAP/1.0","content_length":19,"content_sha1":"0ed16a9e8462128bb0b56585b55162407cb63cc1","user_agent":"etc/fsanalyze","verdict":"clean","verdict_source":"fsav","errors":{},"times":{"orsp-nrs":0,"orsp-frs":0,"fsav":0.00721976000000000041334,"antispam":0},"date":"2022-03-02T20:08:25.902550Z","duration":0.0135759999999999995263}
and we can use the MailScanner option "Allow Password-Protected Archives"