Quote:
Originally Posted by Klug  Hello, welcome. AFAIK, there's not "quarantine" function currently implemented in Zimbra...
Are you sure your amavisd is quarantining some mails ? |
I tested the AV system by sending a test email with a test EICAR virus signature.
It results in a hit during AV checking and the following email:
Quote:
VIRUS ALERT
Our content checker found
virus: Eicar-Test-Signature
in an email to you from unknown sender:
?@access.mail.your-site.com
claiming to be: <eicar@aleph-tec.com>
Our internal reference code for your message is 02121-01/ZLtSlORn0JcT
First upstream SMTP client IP address: [38.96.163.30]
access.mail.your-site.com
According to a 'Received:' trace, the message originated at: [38.96.163.30],
b411.your-site.com (access.mail.your-site.com [38.96.163.30])
Return-Path: <eicar@aleph-tec.com>
Message-ID: <20070610123255.11282440C@b121.your-site.com>
Subject: EICAR anti-virus test file:
The message has been quarantined as: virus-ZLtSlORn0JcT
Please contact your system administrator for details.
|
a file along the name of ZLtSlORn0JcT now sits in one of amavisd's directories. cat the file will reveal that it is the original email in its entirety, with the "virus" attachment in its BASE64 SMTP form. This is of course a little useless if you wish to retrieve any attachment caught in this manner.
I am just thinking this through because I enabled protected archive blocking knowing that we do get the occational valid password-protected zip files.