ESET Command-line scanner and *.eml files

Discussion in 'ESET NOD32 Antivirus' started by Poligraf, Dec 22, 2010.

Thread Status:
Not open for further replies.
  1. Poligraf

    Poligraf Registered Member

    Joined:
    Dec 22, 2010
    Posts:
    2
    Hi all,

    i have problem with NOD32 console scanner. If I try to scan eml file with eicar virus in it (as attachment) then antivirus say that no infected files has been found. But if i delete first line in eml file ("x-sender: xxx@yyy.zzz" with CR\LF symbols) then scanner points out that file is infected. Does anybody run into such problem?

    Version of ESET NOD32 Antivirus is 4.0.437.0.

    Command line with parameters:
    ecls.exe /mail test.eml

    Output:
    Scan time: 0 sec (0:00:00)
    Total: files - 1, objects 1
    Infected: files - 0, objects 0
    Cleaned: files - 0, objects 0

    Output for file without "x-sender" line:
    Scan time: 0 sec (0:00:00)
    Total: files - 1, objects 3
    Infected: files - 1, objects 2
    Cleaned: files - 0, objects 0


    Example of eml file (i removed outlook styles from it):

    x-sender: xxx@yyy.zzz
    x-receiver: aaa@bbb.ccc
    Received: from fff.eee ([192.168.1.1]) by ggg.hhh with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 21 Dec 2010 17:10:02 +0400
    Received: from test1 ([192.168.2.2]) by fff.eee over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 21 Dec 2010 17:10:03 +0400
    From: xxx@yyy.zzz
    To: aaa@bbb.ccc
    References: <3.3d0bae8acbb327391a6a@qqq>
    In-Reply-To: <3.3d0bae8acbb327391a6a@qqq>
    Subject: Test subject
    Date: Tue, 21 Dec 2010 17:10:00 +0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_01BE_01CBA131.EF2A7E40"
    X-Mailer: Microsoft Office Outlook 12.0
    thread-index: AcuhIOHUUkgMrJk5Q1aSVzQ2f0w+7wAAAV4Q
    Content-Language: en-us
    Return-Path: xxx@yyy.zzz
    X-OriginalArrivalTime: 21 Dec 2010 13:10:03.0671 (UTC) FILETIME=[2CBC1EF0:01CBA121]

    This is a multi-part message in MIME format.

    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_01BF_01CBA131.EF2A7E40"


    ------=_NextPart_001_01BF_01CBA131.EF2A7E40
    Content-Type: text/plain;
    charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    Hello!

    =20

    EICAR here

    =20

    Thanks,

    Have a GOOD DAY)


    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: text/plain;
    name="VirusEicar.txt"
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
    filename="VirusEicar.txt"

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    ------=_NextPart_000_01BE_01CBA131.EF2A7E40
    Content-Type: text/plain;
    name="one_virus.txt"
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
    filename="one_virus.txt"

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    ------=_NextPart_000_01BE_01CBA131.EF2A7E40--
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you try with the latest Nod32 version 4.2.67?
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What application put the "x-sender" header at the beginning of the email?
     
  4. Poligraf

    Poligraf Registered Member

    Joined:
    Dec 22, 2010
    Posts:
    2
    Thank you for answers.
    I tried version 4.2.67.10, the same result. Virus is found by scanner only if first line is deleted.

    As far as I understand, this header is generated either by MS SMTP service (in IIS 6.0) or by MS Exchange server.
     
Thread Status:
Not open for further replies.