Trend Micro VirusWall cannot determine attachment type

  • Thread starter Thread starter C.Innocenzi
  • Start date Start date
C

C.Innocenzi

Hello,

we have a Linux box (Red Hat 7.3) with Virus Wall 3.8 installed, Virus
Scanner v3.1, VSAPI v6.510-1002, pattern file 624 (as of today).

We have noticed the following message in our log file when the engine
scans either the message body or the attachments:

The target file can not be classified by VSAPI

and therefore the scan engine passes the entire message.

For example:

09/03/2003 00:07:20 smtp[14538]: smtp[199694]: connection from
127.0.0.1
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: from=, size=3651l,
nrcpts=1, msgi
d=<xxxx>, connect_from=127.0.0.1
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: mail from (e-mail address removed), to
(e-mail address removed)
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: scanning inbound file
email-body
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: The target file can not
be classi
fied by VSAPI.
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: email-body contains no
virus
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: scanning whole file
smtpWl27gtf-14538
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: The target file can not
be classi
fied by VSAPI.
09/03/2003 00:07:20 smtp[14538]: smtp[199694]: mail delivered from
(e-mail address removed) to (e-mail address removed)

We would like to know if such behavior is correct.

Thank you for your help.

C.Innocenzi
 
We would need to see the raw message to tell, I think. You should check the
VirusWall documentation to see what it says.
 
C.Innocenzi said:
we have a Linux box (Red Hat 7.3) with Virus Wall 3.8 installed, Virus
Scanner v3.1, VSAPI v6.510-1002, pattern file 624 (as of today).

We have noticed the following message in our log file when the engine
scans either the message body or the attachments:

The target file can not be classified by VSAPI

and therefore the scan engine passes the entire message.
Click to expand...
<<snip>>

I don't use the product, but saw something yesterday in a security mailing
list I monitor which _may_ be related:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=13531

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15152

In short, check the whole_file_scan option in the smtp section of intscan.ini
is enabled by setting that option to "yes".
 
Hi Nick,

we checked our config file and indeed we have that parameter set:
whole_file_scan=yes

We also have the following parameter set:
level=scanall

which means that the engine has to scan all traffic and not just some extensions.

We updated the pattern file tonight but we still get the message.

C.Innocenzi
 
C.Innocenzi said:
we checked our config file and indeed we have that parameter set:
whole_file_scan=yes

We also have the following parameter set:
level=scanall

which means that the engine has to scan all traffic and not just some extensions.

We updated the pattern file tonight but we still get the message.
Click to expand...

I'd suggest that you call their tech support folks ASAP then...

One of the "problems" having a virus-scanning Email gateway can produce is an
increased level of optimism in your users -- the old "it got past the gateway
scanner so must be safe" foolishness. Thus, a gateway that suddenly appears
to not be able to scan traffic it ought to be scanning can be especially
problematic...
 
Back
Top