Bug in AV, not quarantining the attachment correctly, quarantines the whole message (23.0.1)
-
I have the latest with the IKARUS AV update, and I notice that even though it's set to quarintine the attachment, and not the message, it's just quarantining the whole message, so the end user is not being notified, or recieving the message without the attachment as it's setup to do.
-
Arron Staff
I wasn't able to reproduce the issue. What does the AntiVirus log show is happening?
Was the message quarantined because it could not be scanned?
Or was the message quarantined because of attachment filtering?
-
Wed 2023-05-03 08:00:16.864: MDaemon AntiVirus processing d:\mdaemon\queues\local\md5001000911301.msg...
Wed 2023-05-03 08:00:16.864: * Message return-path: xxx@grxxx.com
Wed 2023-05-03 08:00:16.864: * Message from: xxxx@xxx.com
Wed 2023-05-03 08:00:16.864: * Message to: xxx@xxx
Wed 2023-05-03 08:00:16.864: * Message subject: <xxx>
Wed 2023-05-03 08:00:16.864: * Message ID: <CH0PR11MB53136C762AE80436FAE48D9E956F9@CH0PR11MB5313.namprd11.prod.outlook.com>
Wed 2023-05-03 08:00:16.864: Start MDaemon AntiVirus results
Wed 2023-05-03 08:00:16.869: * IKARUS AV: clean (0.00558 s) D:\MDaemon\CFilter\TEMP\3082132253\pd632424899.hdr
Wed 2023-05-03 08:00:16.874: * IKARUS AV: clean (0.00437 s) D:\MDaemon\CFilter\WORK\77327438\pd3020826626.txt
Wed 2023-05-03 08:00:16.881: * IKARUS AV: clean (0.00735 s) D:\MDaemon\CFilter\WORK\77327438\pd3035720673.txt
Wed 2023-05-03 08:00:16.885: * IKARUS AV: clean (0.00383 s) D:\MDaemon\CFilter\TEMP\3082132253\pd3556971.att
Wed 2023-05-03 08:00:16.978: * IKARUS AV: non-scan (0.09285 s) D:\MDaemon\CFilter\TEMP\3082132253\pd139827487.att
Wed 2023-05-03 08:00:16.978: * (IKARUS AV) Batch 103854 Vendor Enrich Template.xlsm could not be scanned - macro autoopen found
Wed 2023-05-03 08:00:16.978: * Total attachments scanned : 4 (including multipart/alternatives and message body)
Wed 2023-05-03 08:00:16.978: * Total attachments infected : 0
Wed 2023-05-03 08:00:16.978: * Total attachments disinfected: 0
Wed 2023-05-03 08:00:16.978: * Total errors while scanning : 1
Wed 2023-05-03 08:00:17.028: * Message moved to d:\mdaemon\cfilter\quarant\md5001000000016.msg
Wed 2023-05-03 08:00:17.040: * Virus notification sent to xxx@xxx.com (admin)
Wed 2023-05-03 08:00:17.040: End of MDaemon AntiVirus results
-
Is it because it's a Macro, that it couldn't be scanned? The document attached wasn't encrypted, it does contain macros (I opened it on a test box we have to check it).
My understanding is it should send the message, add text that the attachment contained a virus or couldn't be scanned, and send the rest of the message to the end user, and place the (stripped) attachment into the quarantine. But it's just sending the whole message there, and sending an alert to the admin.
-
Arron Staff
This detection is from what IKARUS calls pseudosigs. It is flagging the message because the excel file contains an auto open macro function. In 23.0.1 we are treating a pseudosig match as a non scan and quarantining it, which in some cases is not the desired behavior. In 23.0.2 we have changed the behavior so that most pseudosig detections will be treated the same as a virus.
You have a couple of options. You can just leave it for now and wait for 23.0.2 to be released to the public, install the 23.0.2 beta, or you can turn off the auto open macro detection. Turning off auto open macro detection is my least favorite option, it could allow a malicious macro into your system, but doing so would allow this message to continue processing. This file would be detected by attachment filtering assuming you have *.xlsm listed in the filtering list.
If you'd like to join the beta team you can do so by filling out the form at https://mdaemon.com/pages/beta-program
If you'd like to disable the macro detection, you can do so by editing scanserver.json in the \MDaemon\SecurityPlus\Ikarus\scan.server\conf directory and changing "autoopen_macros": true to "autoopen_macros": false.
Then just save the file.
-
I'll wait for the 23.0.2 to be released, but it sounds like you've figured out the problem I'm reporting by your description you gave which makes perfect sense.