NOD32 for Linux Mailservers: damaged multipart MIME messages

Discussion in 'Other ESET Home Products' started by Holger Isenberg, May 9, 2006.

Thread Status:
Not open for further replies.
  1. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    Is this a known problem or maybe some configuration problem?

    Multipart MIME messages with attachments look like being corrupted by NOD32 as the MIME boundary string after the last deleted attachment with virus is missing.

    NOD32 replaces removed attachments correctly with the text message "X-Removed: Removed by NOD32 Antivirus System". However, the
    MIME boundary string "--------XYZ..." is missing as you can see in this message:

    Date: Mon, 08 May 2006 10:45:30 +0200
    From: Test <test@local>
    User-Agent: Mozilla Thunderbird 1.0.2 (X11/20051002)
    X-Accept-Language: de-DE, de, en-us, en
    MIME-Version: 1.0
    To: "Test" <testother@local>
    Subject: [NOD32: deleted] Virustest
    Content-Type: multipart/mixed;
    boundary="------------020306080503080309060903"
    X-NOD32Result: deleted

    This is a multi-part message in MIME format.
    --------------020306080503080309060903
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 8bit

    test

    ******************************************************
    virus1.zip - Win32/TrojanDownloader.Small.COQ trojan - deleted
    virus1.zip -> ZIP -> Telekom-Rechnung.pdf.exe - Win32/TrojanDownloader.Small.COQ trojan - quarantined - unable to cl
    ean - error while Deleting - operation unavailable for this type of object - was a part of the deleted object
    virus2.pif - Win32/Netsky.D worm - quarantined - unable to clean - deleted


    --------------020306080503080309060903
    Content-Type: text/plain
    X-Removed: Removed by NOD32 Antivirus System


    --------------020306080503080309060903
    Content-Type: text/plain
    X-Removed: Removed by NOD32 Antivirus System


    Content-Type: application/msword;
    name="test.doc"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline;
    filename="test.doc"

    0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAOwADAP7/CQAGAAAAAAAAAAAAAAACAAAAgwAAAAAA
    AAAAEAAAAgAAAAEAAAD+////AAAAAAAAAACAAAAA////////////////////////////////////////////////////////////////////////////////////////////////////////
    [...]



    Added on May 10:

    Mailserver: Linux Debian 3.1, Exim4
    nod32d (lnod32ls) 2.51.6,
    nod32d ist embedded into Exim4 like described in Chapter "5.2.2.6 Setting MTA Exim version 4"
     
    Last edited: May 10, 2006
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I'm a little confused - your send an attachment called virus1.zip, which presumably contained a virus or trojan, and it gets removed, broken, whatever by NOD32 and that's a BAD THING? What did I miss here?

    This seems to be working as designed...
     
  3. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    The attachments virus1.zip and virus2.pif are correctly removed from the mail as they contain testviruses which cannot be cleaned. However, the 3rd attachment test.doc contains no virus and it is not readable by any mail client as the MIME-bounday string "---------..." before it was removed somewhere. There is a slight possibility that the boundary string gets removed by our Exchange server which I will investigate further...
     
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    let us know how this pans out - in the long run though, if you're receiving email borne viruses and trojans, what is the likelihood they are accompanied by valid attachments?

    In the overall scheme of things, I'd be happy to simply reject attachments from an infested machine until said machine cleaned up it's act, even if that's only by accident! ;)
     
  5. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    Update: The problem is not caused by the Exchange server as the Mail shows the missing MIME-boundary already in the spool directory before delivery to the Exchange server.
     
  6. Holger Isenberg

    Holger Isenberg Registered Member

    Joined:
    May 9, 2006
    Posts:
    10
    Yes, that's a very low probability. However if it's really a bug it should be fixed as this problem might occur in other cases, too.
     
Thread Status:
Not open for further replies.