Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
Andreas Metzler
ametzler at bebt.de
Tue May 12 15:36:51 BST 2020
On 2020-05-12 brunoc68 <bugs01 at abcreseau.com> wrote:
> Le 11/05/2020 à 17:24, Andreas Metzler a écrit :
[...]
> > Are you positive you are testing this correctly?
> > swaks -s mail.server -f sender at address -t rcpt at adress --body 'X5O!P...'
> > Replace X5O!P... with the full tests string from https://en.wikipedia.org/wiki/EICAR_test_file
> Dear Andreas,
> With the command line you suggested it is detected as virus.
> As soon as I add text before and after the EICAR signature, it is not
> detected anymore as virus.
> So I tested again with Thunderbird as mail client : same.
> Basically with the Eicar signature alone in the body, it is detected as
> virus.
> As soon as I add text on top of the Eicar signature, it passes through.
> Is it normal behavior ?
Hello Bruno,
Exim passes the mail message unchanged as it is on to the virus
scanner. If you sent the message with Thunderbird there might be some
encoding on top (base64 or QP) instead of the literal string.
It depends on the AV scanner and its configuration whether it will
undo these steps before checking. clamscan on the mailbox file might be
enlightening.
cu Andreas
More information about the Pkg-exim4-maintainers
mailing list