Bug#959004: exim4-daemon-heavy: exiscan is missing EICAR signature in message body but finds it in attachment
brunoc68
bugs01 at abcreseau.com
Tue May 12 16:03:18 BST 2020
Le 12/05/2020 à 16:36, Andreas Metzler a écrit :
> On 2020-05-12 brunoc68 <bugs01 at abcreseau.com> wrote:
>> Le 11/05/2020 à 17:24, Andreas Metzler a écrit :
> [...]
>>> Are you positive you are testing this correctly?
>>> swaks -s mail.server -f sender at address -t rcpt at adress --body 'X5O!P...'
>>> Replace X5O!P... with the full tests string from https://en.wikipedia.org/wiki/EICAR_test_file
>> Dear Andreas,
>> With the command line you suggested it is detected as virus.
>> As soon as I add text before and after the EICAR signature, it is not
>> detected anymore as virus.
>> So I tested again with Thunderbird as mail client : same.
>> Basically with the Eicar signature alone in the body, it is detected as
>> virus.
>> As soon as I add text on top of the Eicar signature, it passes through.
>> Is it normal behavior ?
> Hello Bruno,
>
> Exim passes the mail message unchanged as it is on to the virus
> scanner. If you sent the message with Thunderbird there might be some
> encoding on top (base64 or QP) instead of the literal string.
> It depends on the AV scanner and its configuration whether it will
> undo these steps before checking. clamscan on the mailbox file might be
> enlightening.
>
> cu Andreas
Hello Andreas,
I got the same behavior with Thunderbird as with swaks : even in the
command line, as soon as I had characters before and after the Eicar
signature, the mail passes through the antivirus. I guess this should
not be, at least it was not the case in the past.
cu Bruno
More information about the Pkg-exim4-maintainers
mailing list