MTA decoding of .VBS attachments for virus scanning...

Discussions on webmail and the Professional version.
Post Reply
Craig Emmitt
Posts: 8
Joined: Wed Jun 26, 2002 7:43 am

MTA decoding of .VBS attachments for virus scanning...

Post by Craig Emmitt » Wed Jul 21, 2004 6:11 pm

When a .vbs attachment is decoded into the scratch directory for virus scanning the resulting file (e.g. 2.ATT) is not identical to the original attachment and as a result some virus related .vbs attachments are not detected by anti-virus scanners.

I just figured out that this is the reason why I've never been able to detect a certain .vbs dropper for the Bagle virus using MEPRO+F-PROT. I've had this problem since about MEPRO 1.16 but have never had the time until now to do an in-depth investigation.

Craig Emmitt
Posts: 8
Joined: Wed Jun 26, 2002 7:43 am

Post by Craig Emmitt » Thu Jul 22, 2004 1:53 pm

Had a little more time today to look into this...

It looks like if the .vbs attachement has lines with lengths > 75 characters the decoded scratch copy that gets virus scanned has those lines wrapped at 74 characters with "=" appended to the end. This causes it to not be an identical copy of the original and allows it to slip by the anti-virus scanner(s).

Craig Emmitt
Posts: 8
Joined: Wed Jun 26, 2002 7:43 am

Post by Craig Emmitt » Fri Aug 06, 2004 9:30 pm

I've confirmed that this issue has been fixed in v1.2 My MEPRO+F-PROT will now catch the dropper script (Joke.vbs) for the Bagle virus.

Post Reply