ESET Command-line scanner and *.eml files

Discussion in 'ESET NOD32 Antivirus' started by Poligraf, Dec 22, 2010.

Thread Status:
Not open for further replies.
  1. Poligraf

    Poligraf Registered Member

    Joined:
    Dec 22, 2010
    Posts:
    2
    Hi all,

    i have problem with NOD32 console scanner. If I try to scan eml file with eicar virus in it (as attachment) then antivirus say that no infected files has been found. But if i delete first line in eml file ("x-sender: xxx@yyy.zzz" with CR\LF symbols) then scanner points out that file is infected. Does anybody run into such problem?

    Version of ESET NOD32 Antivirus is 4.0.437.0.

    Command line with parameters:
    ecls.exe /mail test.eml

    Output:
    Scan time: 0 sec (0:00:00)
    Total: files - 1, objects 1
    Infected: files - 0, objects 0
    Cleaned: files - 0, objects 0

    Output for file without "x-sender" line:
    Scan time: 0 sec (0:00:00)
    Total: files - 1, objects 3
    Infected: files - 1, objects 2
    Cleaned: files - 0, objects 0


    Example of eml file (i removed outlook styles from it):

    x-sender: xxx@yyy.zzz
    x-receiver: aaa@bbb.ccc
    Received: from fff.eee ([192.168.1.1]) by ggg.hhh with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 21 Dec 2010 17:10:02 +0400
    Received: from test1 ([192.168.2.2]) by fff.eee over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 21 Dec 2010 17:10:03 +0400
    From: xxx@yyy.zzz
    To: aaa@bbb.ccc
    References: <3.3d0bae8acbb327391a6a@qqq>
    In-Reply-To: <3.3d0bae8acbb327391a6a@qqq>
    Subject: Test subject
    Date: Tue, 21 Dec 2010 17:10:00 +0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_01BE_01CBA131.EF2A7E40"
    X-Mailer: Microsoft Office Outlook 12.0
    thread-index: AcuhIOHUUkgMrJk5Q1aSVzQ2f0w+7wAAAV4Q
    Content-Language: en-us
    Return-Path: xxx@yyy.zzz
    X-OriginalArrivalTime: 21 Dec 2010 13:10:03.0671 (UTC) FILETIME=[2CBC1EF0:01CBA121]

    This is a multi-part message in MIME format.

    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_01BF_01CBA131.EF2A7E40"


    ------=_NextPart_001_01BF_01CBA131.EF2A7E40
    Content-Type: text/plain;
    charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    Hello!

    =20

    EICAR here

    =20

    Thanks,

    Have a GOOD DAY)


    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: text/plain;
    name="VirusEicar.txt"
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
    filename="VirusEicar.txt"

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: text/plain;
    name="one_virus.txt"
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
    filename="one_virus.txt"

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    ------=_NextPart_000_01BE_01CBA131.EF2A7E40--
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you try with the latest Nod32 version 4.2.67?
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,408
    What application put the "x-sender" header at the beginning of the email?
     
  4. Poligraf

    Poligraf Registered Member

    Joined:
    Dec 22, 2010
    Posts:
    2
    Thank you for answers.
    I tried version 4.2.67.10, the same result. Virus is found by scanner only if first line is deleted.

    As far as I understand, this header is generated either by MS SMTP service (in IIS 6.0) or by MS Exchange server.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.