error occurred while reading archive

When doing an on-demand scan,
I am getting some unexpected errors when scanning emails.

Some emails that are saved to disk as .eml files
cause entries in the scan log such as:

D:\xxx\yyy.eml »MIME »part000.txt - error occurred while reading archive

and some emails that are in my Outlook Express .dbx files cause the same problem:

K:\OE Mail\xxx.dbx »DBX »from: "name" <name@yyy.com> to: "MC" <me@myemail.com> with subject The Subject dated Sat, 12 Apr 2003 20:40:26 +0800 »MIME »part000.txt - error occurred while reading archive

Only a small percentage, say about 100 emails, have this problem.
An those emails appear to have nothing untoward about them: they open fine, they read fine, they look fine, they discuss praiseworthy subjects.
Also, it always fails on the same emails - so not an access issue.

Why would NOd32 fail to open them?

Any clues or insights?

 

I experienced this problem when NOD32 found a worm in DBX file. Then NOD32 on-demand scanner added this error to the scanning log...

 

Just out of curiosity, does NOD hilite the message in red ? In the first post its an error, in the second post the same message appears when its a worm

 

Not in red.
+ I am sure I do not have any worms. And certainly not in 100 of several thousand emails.

 

It could be that it simply can't read the archive.
Maybe it's damaged, maybe it's repacked [easy way to fool NOD] or some other stuff.

 

Brain
thanks for the thought - in fact these are not archives. As mentioned at the top they are either emails that are saved to disk as individual .eml files, or emails that are in my Outlook Express .dbx stores. They do not appear to be damaged: as mentioned they they open (by double clicking), read and look fine. Those that have attachments, the attachments open just fine as well.

Mover
Am sure it is not a worm. Highlight is blue. Pls the same files have been scanned by NAV and KAV. Also several are 2 years old - unlikley a two year old worm would be unflagged.

Does nobody else get these messages?

Am beginning to suspect a nod32 bug.

 

I have gotten a few of these messages, so I know what you are talking about. My guess is that these are malformed MIME attachments. NOD32 expects a correct MIME attachment, so when it encounters a malformed one, it cannot decode it. Hence, the error message.

Is this a potential way a virus to sneak through via e-mail? Yes, it is. Virus writers are known to do this on purpose. However, if the e-mail program does decode the malformed MIME attachment, NOD32 will still be able to scan it using AMON.

 

Alglove

Agree they are malformed mime attachments.
Tried to put one in a zip file and winzip gave me the message:
Warning: Boundary expected on Multipart message but found EOF

However the email client reads OK, and the attachment is save-able and executable.

Take your point about this could be done on purpose to conceal malware. So Nod32 should scan even if it finds a structural error.

Will add to suggestions thread.

mc