Is this a known problem or maybe some configuration problem?

Multipart MIME messages with attachments look like being corrupted by NOD32 as the MIME boundary string after the last deleted attachment with virus is missing.

NOD32 replaces removed attachments correctly with the text message "X-Removed: Removed by NOD32 Antivirus System". However, the
MIME boundary string "--------XYZ..." is missing as you can see in this message:

Date: Mon, 08 May 2006 10:45:30 +0200
From: Test <test@local>
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20051002)
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: "Test" <testother@local>
Subject: [NOD32: deleted] Virustest
Content-Type: multipart/mixed;
boundary="------------020306080503080309060903"
X-NOD32Result: deleted

This is a multi-part message in MIME format.
--------------020306080503080309060903
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

test

******************************************************
virus1.zip - Win32/TrojanDownloader.Small.COQ trojan - deleted
virus1.zip -> ZIP -> Telekom-Rechnung.pdf.exe - Win32/TrojanDownloader.Small.COQ trojan - quarantined - unable to cl
ean - error while Deleting - operation unavailable for this type of object - was a part of the deleted object
virus2.pif - Win32/Netsky.D worm - quarantined - unable to clean - deleted


--------------020306080503080309060903
Content-Type: text/plain
X-Removed: Removed by NOD32 Antivirus System


--------------020306080503080309060903
Content-Type: text/plain
X-Removed: Removed by NOD32 Antivirus System


Content-Type: application/msword;
name="test.doc"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="test.doc"

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAOwADAP7/CQAGAAAAAAAAAAAAAAACAAAAgwAAAAAA
AAAAEAAAAgAAAAEAAAD+////AAAAAAAAAACAAAAA////////////////////////////////////////////////////////////////////////////////////////////////////////
[...]



Added on May 10:

Mailserver: Linux Debian 3.1, Exim4
nod32d (lnod32ls) 2.51.6,
nod32d ist embedded into Exim4 like described in Chapter "5.2.2.6 Setting MTA Exim version 4"

I'm a little confused - your send an attachment called virus1.zip, which presumably contained a virus or trojan, and it gets removed, broken, whatever by NOD32 and that's a BAD THING? What did I miss here?

This seems to be working as designed...

The attachments virus1.zip and virus2.pif are correctly removed from the mail as they contain testviruses which cannot be cleaned. However, the 3rd attachment test.doc contains no virus and it is not readable by any mail client as the MIME-bounday string "---------..." before it was removed somewhere. There is a slight possibility that the boundary string gets removed by our Exchange server which I will investigate further...

let us know how this pans out - in the long run though, if you're receiving email borne viruses and trojans, what is the likelihood they are accompanied by valid attachments?

In the overall scheme of things, I'd be happy to simply reject attachments from an infested machine until said machine cleaned up it's act, even if that's only by accident! ;)

Update: The problem is not caused by the Exchange server as the Mail shows the missing MIME-boundary already in the spool directory before delivery to the Exchange server.

{QUOTE-> what is the likelihood they are accompanied by valid attachments? <-QUOTE}

Yes, that's a very low probability. However if it's really a bug it should be fixed as this problem might occur in other cases, too.